Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration

Last updated a month ago on 2026-05-22

Created a month ago on 2026-05-22

About

Correlates a successful Entra ID device-code sign-in to the legacy Azure AD Graph audience (00000002-0000-0000-c000-000000000000) from an unmanaged device with directory enumeration against graph.windows.net by the same user within a short window. Device-code phishing is the dominant OAuth phishing variant against Microsoft tenants: the adversary initiates the flow, relays the user-facing code to the victim, and on redemption walks away with an access or refresh token bound to the targeted resource without ever handling the user's password or MFA factor. When the redeemed audience is AAD Graph and the redeeming device is unmanaged, the follow-on Graph traffic is the compromised cloud account being used by the attacker, not by the user. This rule fires when that token is immediately turned around against the directory under the same identity to read user, group, service principal, application, role assignment, directory object, policy, OAuth permission grant, or tenant detail collections.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsData Source: Azure AD GraphData Source: Azure AD Graph Activity LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Credential AccessTactic: Initial AccessTactic: DiscoveryLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Steal Application Access Token (T1528)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

↳ Permission Groups Discovery (T1069)(external, opens in a new tab or window)

↳ Account Discovery (T1087)(external, opens in a new tab or window)

↳ Cloud Service Discovery (T1526)(external, opens in a new tab or window)

False Positive Examples

Authorized red team or audit activity (ROADrecon, ROADtools, AADInternals, roadtx). Document the engagement window and add exceptions on the calling user. A developer or operator legitimately running first-party tooling under the device-code flow that then enumerates directory objects during onboarding or troubleshooting. Validate the calling app and source IP and exclude as appropriate.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.signinlogs-*logs-azure.aadgraphactivitylogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗sequence by user.id, azure.tenant_id with maxspan=5m
[authentication where
    data_stream.dataset == "azure.signinlogs" and
    event.outcome == "success" and
    azure.signinlogs.properties.authentication_protocol == "deviceCode" and
    azure.signinlogs.properties.device_detail.is_managed == false and
    azure.signinlogs.properties.resource_id == "00000002-0000-0000-c000-000000000000"]
[web where
    data_stream.dataset == "azure.aadgraphactivitylogs" and
    url.path : (
        "*/users*",
        "*/groups*",
        "*/servicePrincipals*",
        "*/applications*",
        "*/applicationRefs*",
        "*/devices*",
        "*/directoryRoles*",
        "*/roleAssignments*",
        "*/eligibleRoleAssignments*",
        "*/roleDefinitions*",
        "*/directoryObjects*",
        "*/policies*",
        "*/oauth2PermissionGrants*",
        "*/administrativeUnits*",
        "*/tenantDetails*",
        "*/directorySettingTemplates*",
        "*/me*"
    )]

Install detection rules in Elastic Security

Detect Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).