Failed MFA attempts from privileged accounts may indicate an adversary attempting to compromise these accounts to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or lateral movement tactics early.
KQL Query
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let aadFunc = (tableName:string){
IdentityInfo
| where AssignedRoles contains "Admin"
| mv-expand AssignedRoles
| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)
| where Roles contains "Admin"
| distinct Roles, AccountUPN
| join kind=inner (
// Failed Signins attempts with reasoning related to MFA.
table(tableName)
| where TimeGenerated between(starttime..endtime)
| where ResultDescription has_any ("MFA", "second factor", "multi-factor", "second factor") or ResultType in (50074, 50076, 50079, 50072, 53004, 500121)
) on $left.AccountUPN == $right.UserPrincipalName
| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
id: d9524fcf-de06-4f95-84b0-1637a30ad595
name: Privileged Accounts - Failed MFA
description: |
' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.
Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let aadFunc = (tableName:string){
IdentityInfo
| where AssignedRoles contains "Admin"
| mv-expand AssignedRoles
| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)
| where Roles contains "Admin"
| distinct Roles, AccountUPN
| join kind=inner (
// Failed Signins attempts with reasoning related to MFA.
table(tableName)
| where TimeGenerated between(starttime..endtime)
| where ResultDescription has_any ("MFA", "second factor", "multi-factor", "second factor") or ResultType in (50074, 50076, 50079, 50072, 53004, 500121)
) on $left.AccountUPN == $right.UserPrincipalName
| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1| Sentinel Table | Notes |
|---|---|
AADNonInteractiveUserSignInLogs | Ensure this data connector is enabled |
IdentityInfo | Ensure this data connector is enabled |
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Attempting to Access a Privileged Account
Description: A scheduled job or automation tool (e.g., Azure DevOps, Jenkins, or Ansible) attempts to authenticate using a privileged account and fails MFA due to incorrect credentials or a misconfigured authentication flow.
Filter/Exclusion: EventID != 4625 or UserAgent contains "Azure DevOps" OR "Jenkins" OR "Ansible"
Scenario: Admin Performing Password Reset via Self-Service Portal
Description: An admin account (e.g., “AdminUser”) is attempting to reset their own password through a self-service portal, which triggers an MFA prompt, but the user enters the wrong password.
Filter/Exclusion: User contains "AdminUser" AND EventID == 4625 AND SourceName == "SelfServicePasswordReset"
Scenario: MFA Prompt During System Maintenance or Patching
Description: During a system maintenance window, an admin account is prompted for MFA when accessing a privileged resource (e.g., Azure VMs, SCCM, or Exchange), but the MFA fails due to a temporary network issue or service outage.
Filter/Exclusion: User contains "ITAdmin" AND EventID == 4625 AND EventTime between (maintenance_window_start) and (maintenance_window_end)
Scenario: False MFA Prompt from Legacy Authentication Tool
Description: A legacy authentication tool (e.g., Microsoft LAPS, or a custom script) is used to authenticate to a privileged account, which triggers an MFA prompt due to a misconfigured policy, leading to a failed attempt.
Filter/Exclusion: User contains "LAPSAdmin" OR "LegacyAuthTool" AND EventID == 4625
**Scenario: MFA