Entra ID User Sign-in with Unusual Client

Last updated 10 days ago on 2025-12-15

Created 9 months ago on 2025-03-10

About

Detects rare non-interactive sign-ins where an Entra ID client application authenticates on behalf of a principal user using an application (client) ID that is not commonly associated with that user’s historical sign-in behavior. Adversaries with stolen credentials or OAuth tokens may abuse Entra ID–managed or first-party client IDs to perform on-behalf-of (OBO) authentication, blending into legitimate cloud traffic while avoiding traditional interactive sign-in flows. This technique is commonly observed in OAuth phishing, token theft, and access broker operations, and may precede lateral movement, persistence, or data access via Microsoft Graph or other cloud resources. The rule uses a New Terms approach to identify first-seen combinations of the UPN and Client ID within a defined history window, helping surface unexpected client usage that may indicate compromised identities, malicious automation, or unauthorized application impersonation.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Entra IDData Source: Entra ID Sign-inUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Steal Application Access Token (T1528)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.signinlogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: "azure.signinlogs" and event.category: "authentication"
    and azure.signinlogs.properties.is_interactive: false
    and azure.signinlogs.properties.user_type: "Member"
    and not azure.signinlogs.properties.client_app_used: "Browser"
    and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK"
    and not azure.signinlogs.properties.app_id: (
        "1b3c667f-cde3-4090-b60b-3d2abd0117f0" or
        "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or
        "4b0964e4-58f1-47f4-a552-e2e1fc56dcd7" or
        "ecd6b820-32c2-49b6-98a6-444530e5a77a" or
        "268761a2-03f3-40df-8a8b-c3db24145b6b" or
        "fc0f3af4-6835-4174-b806-f7db311fd2f3" or
        "de50c81f-5f80-4771-b66b-cebd28ccdfc1" or
        "ab9b8c07-8f02-4f72-87fa-80105867a763" or
        "6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3" or
        "d7b530a4-7680-4c23-a8bf-c52c121d2e87" or
        "52c2e0b5-c7b6-4d11-a89c-21e42bcec444" or
        "38aa3b87-a06d-4817-b275-7a316988d93b" or
        "27922004-5251-4030-b22d-91ecd9a37ea4" or
        "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" or
        "cab96880-db5b-4e15-90a7-f3f1d62ffe39" or
        "3a4d129e-7f50-4e0d-a7fd-033add0a29f4" or
        "29d9ed98-a469-4536-ade2-f981bc1d605e" or
        "c0ab8ce9-e9a0-42e7-b064-33d422df41f1" or
        "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7" or
        "4813382a-8fa7-425e-ab75-3b753aab3abb" or
        "08e18876-6177-487e-b8b5-cf950c1e598c" or
        "0ec893e0-5785-4de6-99da-4ed124e5296c" or
        "d3590ed6-52b3-4102-aeff-aad2292ab01c" or
        "0dc2408a-bbc0-4238-871e-13b372f0200f" or
        "4813382a-8fa7-425e-ab75-3b753aab3abb" or
        "af124e86-4e96-495a-b70a-90f90ab96707" or
        "e9c51622-460d-4d3d-952d-966a5b1da34c" or
        "ecd6b820-32c2-49b6-98a6-444530e5a77a" or
        "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34" or
        "e2ef5054-0287-4db6-afa3-013d96881fd3"
    )

Install detection rules in Elastic Security

Detect Entra ID User Sign-in with Unusual Client in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).