A user may be attempting to compromise their account by registering a new device after a risky sign-in session, indicating potential credential theft or account takeover. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before further compromise occurs.
KQL Query
let registeredDevices=CloudAppEvents
| where ActionType =~ "Add registered owner to device."
| where isnotempty(RawEventData.ObjectId) and isnotempty(RawEventData.ModifiedProperties[0].NewValue) and isnotempty(RawEventData.Target[1].ID) and isnotempty(RawEventData.ModifiedProperties[1].NewValue)
| where AccountDisplayName =~ "Device Registration Service"
| extend AccountUpn = tostring(RawEventData.ObjectId)
| extend AccountObjectId = tostring(RawEventData.Target[1].ID)
| extend DeviceObjectId = tostring(RawEventData.ModifiedProperties[0].NewValue)
| extend DeviceDisplayName = tostring(RawEventData.ModifiedProperties[1].NewValue)
| project DeviceRegistrationTimestamp=Timestamp,ReportId,AccountUpn,AccountObjectId,DeviceObjectId,DeviceDisplayName;
let registeringUser=
registeredDevices
| distinct AccountObjectId;
let hasRegisteringUser = isnotempty(toscalar(registeringUser));
let riskySignins=EntraIdSignInEvents
| where hasRegisteringUser
| where AccountObjectId in (registeringUser)
| where RiskLevelDuringSignIn in ("50","100") //Medium and High sign-in risk level.
| where Application in ("Office 365 Exchange Online", "OfficeHome")
| where isnotempty(SessionId)
| project SignInTimestamp=Timestamp, Application, SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn
| summarize SignInTimestamp=argmin(SignInTimestamp,*) by Application,SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn;
registeredDevices
| join riskySignins on AccountObjectId
| where DeviceRegistrationTimestamp - SignInTimestamp < 6h //Time delta between risky sign-in and device registration less than 6h
| project-away AccountObjectId1id: ce2b03f8-92a4-4ec7-b55b-e9fa562fafa4
name: Risky Sign-in with Device Registration
description: |
Looks for a new device registration in Entra ID preceded by medium or high-risk sign-in session for the same user within maximum 6h timeframe.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- EntraIdSignInEvents
tactics:
- Persistence
query: |
let registeredDevices=CloudAppEvents
| where ActionType =~ "Add registered owner to device."
| where isnotempty(RawEventData.ObjectId) and isnotempty(RawEventData.ModifiedProperties[0].NewValue) and isnotempty(RawEventData.Target[1].ID) and isnotempty(RawEventData.ModifiedProperties[1].NewValue)
| where AccountDisplayName =~ "Device Registration Service"
| extend AccountUpn = tostring(RawEventData.ObjectId)
| extend AccountObjectId = tostring(RawEventData.Target[1].ID)
| extend DeviceObjectId = tostring(RawEventData.ModifiedProperties[0].NewValue)
| extend DeviceDisplayName = tostring(RawEventData.ModifiedProperties[1].NewValue)
| project DeviceRegistrationTimestamp=Timestamp,ReportId,AccountUpn,AccountObjectId,DeviceObjectId,DeviceDisplayName;
let registeringUser=
registeredDevices
| distinct AccountObjectId;
let hasRegisteringUser = isnotempty(toscalar(registeringUser));
let riskySignins=EntraIdSignInEvents
| where hasRegisteringUser
| where AccountObjectId in (registeringUser)
| where RiskLevelDuringSignIn in ("50","100") //Medium and High sign-in risk level.
| where Application in ("Office 365 Exchange Online", "OfficeHome")
| where isnotempty(SessionId)
| project SignInTimestamp=Timestamp, Application, SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn
| summarize SignInTimestamp=argmin(SignInTimestamp,*) by Application,SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn;
registeredDevices
| join riskySignins on AccountObjectId
| where DeviceRegistrationTimestamp - SignInTimestamp < 6h //Time delta between risky sign-in and device registration less than 6h
| project-away AccountObjectId1| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses a new device to sign in after a high-risk sign-in session due to a failed password attempt.
Filter/Exclusion: Exclude sign-ins where the user is a member of the “Administrators” group or has the “Global Administrator” role.
Scenario: A scheduled job runs on a new device that was recently registered for automation tasks, and the job triggers a sign-in that coincides with a previous high-risk session.
Filter/Exclusion: Exclude sign-ins associated with service accounts or jobs running under a specific service account (e.g., [email protected]).
Scenario: An employee uses a personal device to sign in after a high-risk session due to a phishing attempt, but the device is later registered as a trusted device.
Filter/Exclusion: Exclude sign-ins where the device is registered within 1 hour of the sign-in and the user has manually confirmed the device as trusted.
Scenario: A user signs in from a new device after a high-risk session, but the sign-in is part of a multi-factor authentication (MFA) enrollment process.
Filter/Exclusion: Exclude sign-ins where the user is enrolling for MFA or has a pending MFA setup request in Azure AD.
Scenario: A user signs in from a new device after a high-risk session, but the sign-in is part of a routine password reset process using a new device.
Filter/Exclusion: Exclude sign-ins where the user has initiated a password reset through the Microsoft Entra ID admin center or via a password reset tool like AzureADPasswordReset.