SigninLogs
| where RiskLevelDuringSignIn in ("high", "medium") and ResultType == 50074
| where RiskState !in ("dismissed", "remediated")
| where AuthenticationRequirementPolicies has "riskBasedPolicy"
| where Status has "Redirected to external provider for MFA"
| distinct UserPrincipalName=tolower(UserPrincipalName)
Khan rezamt
rezamt
/ Federated sign-in risk scenarios.md
Last active
June 26, 2025 01:57
Microsoft Entra Workbook
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let data = SigninLogs | |
| | where AppDisplayName in ('*') or '*' in ('*') | |
| | where UserDisplayName in ('*') or '*' in ('*') | |
| | extend errorCode = Status.errorCode | |
| | extend SigninStatus = case(errorCode == 0, "Success", errorCode == 50058, "Pending action (Interrupts)", errorCode == 50140, "Pending action (Interrupts)", errorCode == 51006, "Pending action (Interrupts)", errorCode == 50059, "Pending action (Interrupts)", errorCode == 65001, "Pending action (Interrupts)", errorCode == 52004, "Pending action (Interrupts)", errorCode == 50055, "Pending action (Interrupts)", errorCode == 50144, "Pending action (Interrupts)", errorCode == 50072, "Pending action (Interrupts)", errorCode == 50074, "Pending action (Interrupts)", errorCode == 16000, "Pending action (Interrupts)", errorCode == 16001, "Pending action (Interrupts)", errorCode == 16003, "Pending action (Interrupts)", errorCode == 50127, "Pending action (Interrupts)", errorCode == 50125, "Pending action (Interrupts)", errorCode == 50129, "Pending a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | eval policy_result_pairs=mvzip('properties.appliedConditionalAccessPolicies{}.displayName', 'properties.appliedConditionalAccessPolicies{}.result', ":") | |
| | mvexpand policy_result_pairs | |
| | rex field=policy_result_pairs "^(?<policy_name>[^:]+):(?<policy_result>.+)$" | |
| | search (policy_name="policy1" OR policy_name="policy2") AND policy_result="failure" |
- AADSTS16000: User account doesn't exist in tenant and can't access the application. [cite: 1]
- AADSTS16003: User hasn't been explicitly added to the tenant. [cite: 9]
- AADSTS50014: User account doesn’t exist in the directory (Guest user in pending state). [cite: 59]
- AADSTS50015: User requires legal age group consent. [cite: 62]
- AADSTS50020: User account from identity provider does not exist in tenant and cannot access the application. [cite: 66]
- AADSTS50034: User account not found; account must be added to the directory. [cite: 79]
- AADSTS50053: Account is locked (too many incorrect sign-in attempts) or sign-in blocked from malicious IP. [cite: 86, 87]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=your_index_name sourcetype="your_sourcetype" IsInteractive=true | |
| | eval week=strftime(_time, "%U"), day=strftime(_time, "%Y-%m-%d") | |
| | eval Result=if(ResultType="0", "Success", "Failure") | |
| | eval weekLabel=case(relative_time(now(), "@w0") <= _time, "This Week", relative_time(now(), "-1w@w0") <= _time AND _time < relative_time(now(), "@w0"), "Last Week", "Other") | |
| | search weekLabel="This Week" OR weekLabel="Last Week" | |
| | stats count by day, weekLabel, Result | |
| | eval Label=case(Result="Success" AND weekLabel="This Week", "Current Success", | |
| Result="Failure" AND weekLabel="This Week", "Current Failure", | |
| Result="Success" AND weekLabel="Last Week", "Success Trend (Last Week)", | |
| Result="Failure" AND weekLabel="Last Week", "Failure Trend (Last Week)") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $gpoList = Get-CsvData -FilePath "gpo-data.csv" | |
| $gpoList| foreach { | |
| $gpo = Get-GPO -Guid $_.ID | |
| # Write-Output "$($gpo.Id),$($gpo.DisplayName),$($gpo.Owner)" | |
| $gpo | |
| } |
https://nicolasuter.medium.com/why-you-should-use-entra-workload-identity-federation-dfe8b6b626a1
Which scenarios support “Workload identity Federation”?
- Workloads running on any Kubernetes cluster (Azure Kubernetes Service (AKS), Amazon Web Services EKS, Google Kubernetes Engine (GKE), or on-premises)
- GitHub Actions (CI / CD Pipelines) [2]
- GitLab (CI / CD Pipelines) [3]
- Workloads / VMs Google Cloud
- Workloads / VMs running in Amazon Web Services (AWS)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Framework | |
| # Reference Architecture | |
| https://www.youtube.com/watch?v=1fjXNfIysbg&t=2612s |
NewerOlder