EXPLORE
Sign In
← Back to Explore
kqlHunting

AADSignInEventsBeta - Hunting Potential Seamless SSO Usage

Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead

Detection Query

//Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead
//This query is for those who do not ingest AADNonInteractiveSignins and don't have MDI but have Advanced Hunting available
//You should disable Seamless SSO and favour SSO from the PRT instead i.e. Entra Join/Hybrid Join/Entra Register
//Ref 1: https://ourcloudnetwork.com/why-you-should-disable-seamless-sso-in-microsoft-entra-connect/
//Ref 2: https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/#:\~:text=The%20resulting-,Graph%20PowerShell,-will%20look%20like
AADSignInEventsBeta
| where ApplicationId == ""
| where parse_json(LogonType)[0] == 'nonInteractiveUser'
| where EndpointCall == @"WindowsAuthenticationController:sso"
| summarize count() by AccountUpn,DeviceName,DeviceTrustType

Data Sources

AADSignInEventsBeta

Platforms

azure-admicrosoft-defender

Tags

defenderhunting
Raw Content
//Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead
//This query is for those who do not ingest AADNonInteractiveSignins and don't have MDI but have Advanced Hunting available
//You should disable Seamless SSO and favour SSO from the PRT instead i.e. Entra Join/Hybrid Join/Entra Register
//Ref 1: https://ourcloudnetwork.com/why-you-should-disable-seamless-sso-in-microsoft-entra-connect/
//Ref 2: https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/#:\~:text=The%20resulting-,Graph%20PowerShell,-will%20look%20like
AADSignInEventsBeta
| where ApplicationId == ""
| where parse_json(LogonType)[0] == 'nonInteractiveUser'
| where EndpointCall == @"WindowsAuthenticationController:sso"
| summarize count() by AccountUpn,DeviceName,DeviceTrustType