Privileged users authenticating from one Microsoft Entra ID tenant to another may indicate lateral movement or unauthorized access between environments. SOC teams should proactively hunt for this behavior to identify potential credential compromise or insider threats in their Azure Sentinel environment.
KQL Query
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| where tolower(UserPrincipalName) in (admin_users)
| where HomeTenantId != ResourceTenantId
| summarize by UserPrincipalName, ResourceTenantId
| join kind=rightanti (SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admin_users)
| where HomeTenantId != ResourceTenantId
| where isnotempty(HomeTenantId) and isnotempty(ResourceTenantId)) on UserPrincipalName, ResourceTenantId
| where RiskLevelAggregated != "none"
id: 3a0447c1-7f43-43d0-aeac-d5e1247964a8
name: Administrators Authenticating to Another Microsoft Entra ID Tenant
description: |
'Detects when a privileged user account successfully authenticates from to another Microsoft Entra ID Tenant.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
- T1078.004
query: |
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| where tolower(UserPrincipalName) in (admin_users)
| where HomeTenantId != ResourceTenantId
| summarize by UserPrincipalName, ResourceTenantId
| join kind=rightanti (SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admin_users)
| where HomeTenantId != ResourceTenantId
| where isnotempty(HomeTenantId) and isnotempty(ResourceTenantId)) on UserPrincipalName, ResourceTenantId
| where RiskLevelAggregated != "none"
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
version: 1.0.1| Sentinel Table | Notes |
|---|---|
IdentityInfo | Ensure this data connector is enabled |
SigninLogs | Ensure this data connector is enabled |
Scenario: Cross-Tenant Admin Collaboration via Azure AD Connect
Description: An administrator is authenticating to another tenant as part of a cross-tenant synchronization setup using Azure AD Connect.
Filter/Exclusion: Check for the presence of Azure AD Connect in the source system or filter by the specific admin account used for cross-tenant sync.
Scenario: Scheduled Job for User Provisioning Across Tenants
Description: A scheduled job (e.g., using Azure Automation or PowerShell) is provisioning users across multiple Microsoft Entra ID tenants.
Filter/Exclusion: Filter by the job name or script name associated with user provisioning, and check for the presence of Azure Automation or PowerShell in the source.
Scenario: Admin Accessing Another Tenant for Support via Microsoft Entra ID Admin Center
Description: An admin is accessing another tenant to assist a user or resolve an issue using the Microsoft Entra ID Admin Center.
Filter/Exclusion: Filter by the admin’s role (e.g., Global Admin) and check for the presence of Microsoft Entra ID Admin Center in the source or session details.
Scenario: Multi-Tenant Application Authentication for SaaS Integration
Description: A privileged user is authenticating to another tenant as part of configuring a multi-tenant SaaS application (e.g., Power BI, Microsoft Teams, or Dynamics 365).
Filter/Exclusion: Filter by the application name or service (e.g., Power BI, Microsoft Teams) and check for the presence of OAuth or SaaS in the authentication context.
Scenario: Admin Accessing Another Tenant for Compliance or Audit Purposes
Description: An admin is accessing another tenant to review logs, audit compliance, or perform a security assessment.
Filter/Exclusion: Filter