Users authenticating to other Microsoft Entra ID tenants may indicate lateral movement or reconnaissance by adversaries seeking to access resources across different organizations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential cross-tenant threats and mitigate unauthorized access.
KQL Query
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| where HomeTenantId != ResourceTenantId
| summarize by UserPrincipalName, ResourceTenantId
| join kind=rightanti (SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where HomeTenantId != ResourceTenantId
| where isnotempty(HomeTenantId) and isnotempty(ResourceTenantId)) on UserPrincipalName, ResourceTenantId
| where RiskLevelAggregated != "none"
id: 9b4a1f38-2fae-44dd-9e85-685a2e4b9bb5
name: Users Authenticating to Other Microsoft Entra ID Tenants
description: |
'Detects when a user has successfully authenticated to another Microsoft Entra ID tenant with an identity in your organization's tenant.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| where HomeTenantId != ResourceTenantId
| summarize by UserPrincipalName, ResourceTenantId
| join kind=rightanti (SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where HomeTenantId != ResourceTenantId
| where isnotempty(HomeTenantId) and isnotempty(ResourceTenantId)) on UserPrincipalName, ResourceTenantId
| where RiskLevelAggregated != "none"
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName| Sentinel Table | Notes |
|---|---|
SigninLogs | Ensure this data connector is enabled |
Scenario: Admin Performing Cross-Tenant User Management
Description: An administrator is using the Microsoft Entra ID admin center to manage users across tenants, such as adding a user from another tenant to a service directory.
Filter/Exclusion: Exclude activity where the user has the User Principal Name ending with .admin or where the action is related to user management (e.g., UserManagement or UserManagementAdmin in the activity log).
Scenario: Scheduled Job for Cross-Tenant Data Sync
Description: A scheduled job, such as Azure AD Connect or a custom PowerShell script, is synchronizing user data between two Microsoft Entra ID tenants.
Filter/Exclusion: Exclude events where the Client App is Azure AD Connect or the User Agent contains Azure AD Connect. Also, filter by Operation type such as Sync or Data Sync.
Scenario: User Accessing Microsoft 365 Services Across Tenants
Description: A user with access to multiple Microsoft 365 services (e.g., SharePoint, Teams) is authenticating to a service hosted in another tenant, such as a shared team site.
Filter/Exclusion: Exclude activity where the Resource is a known shared service (e.g., https://teams.microsoft.com, https://sharepoint.com) or where the user has a role like Global Administrator.
Scenario: Multi-Factor Authentication (MFA) Prompt from Another Tenant
Description: A user receives an MFA prompt from a Microsoft Entra ID tenant that is not their own, such as when accessing a service hosted in another tenant.
Filter/Exclusion: Exclude events where the Authentication Method is MFA and the Tenant ID is a known partner or service provider tenant (e.g., `partner