Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client

Last updated 15 days ago on 2025-12-10

Created 8 months ago on 2025-05-01

About

This rule detects non-interactive authentication activity against SharePoint Online (`Office 365 SharePoint Online`) by a user principal via the `Microsoft Authentication Broker` application. The session leverages a refresh token or Primary Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios.

Tags

Domain: CloudUse Case: Identity and Access AuditTactic: CollectionData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Collection (TA0009)(external, opens in a new tab or window)

↳ Data from Information Repositories (T1213)(external, opens in a new tab or window)

False Positive Examples

Legitimate non-interactive access to SharePoint Online via the Microsoft Authentication Broker may occur in enterprise environments, especially with MDM solutions or automated scripts. However, this should be explicitly allowed and monitored. Some enterprise MDM or brokered flows may use refresh tokens legitimately (especially with hybrid/Azure AD joined devices). Automated scripts for legitimate tasks (e.g., reporting, backups) might use `python-requests`, though this should be explicitly allowed. If the user is a developer or automation engineer, validate if this behavior was for testing purposes.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.signinlogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: "azure.signinlogs"
    and azure.signinlogs.properties.app_id: "29d9ed98-a469-4536-ade2-f981bc1d605e"
    and azure.signinlogs.properties.resource_id: "00000003-0000-0ff1-ce00-000000000000"
    and azure.signinlogs.identity: *
    and azure.signinlogs.properties.user_principal_name: *
    and azure.signinlogs.properties.incoming_token_type: ("refreshToken" or "primaryRefreshToken")
    and azure.signinlogs.properties.is_interactive: false

Install detection rules in Elastic Security

Detect Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).