Elastic Security Detection Rules

Microsoft Entra ID Rare Authentication Requirement for Principal User

Last updated 5 months ago on 2025-03-25
Created 5 months ago on 2025-03-10

About

Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity.
Tags
Domain: CloudData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Valid Accounts (T1078)(opens in a new tab or window)

Credential Access (TA0006)(opens in a new tab or window)

Brute Force (T1110)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure.signinlogs-*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset: "azure.signinlogs" and event.category: "authentication"
    and azure.signinlogs.properties.user_type: "Member"
    and azure.signinlogs.properties.authentication_details.authentication_method: "Password"
    and not azure.signinlogs.properties.device_detail.browser: *
    and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK"
    and not azure.signinlogs.properties.authentication_requirement: "multiFactorAuthentication"

Install detection rules in Elastic Security

Detect Microsoft Entra ID Rare Authentication Requirement for Principal User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).