Forum Discussion
Solved
What exactly is the AppDisplayName "Microsoft Authentication Broker"
Hello,
When reviewing failed Sign In attempts through KQL (invalid username/password), I sometimes see the AppDisplayName to be "Microsoft Authentication Broker". I have tried looking for the answer online, and it does seem to be related to some kind of authentication broker service (makes sense for the name). But I have yet to figure out what exactly it is.
I guessed that this was perhaps the authentication app for Microsoft, but I did some testing on my own device and was unable to trigger the logs for Microsoft Authentication Broker.
Has someone else any experience dealing with these? Might it be something going on in the background of MS?
As far as I know, the Authentication Broker is the Module integrated into Intune Company Portal / Microsoft Authenticator App to Enable Cross-Application SSO between Mobile Applications that use Entra ID Authentication on iOS and Android, I presume you are seeing mobile Apps attempting to use the Credentials Cached on the Device.
It is also used to Register Devices in Intune.
So to trigger it yourself you would have to use a Mobile App that has Entra ID SSO built in - Teams is a good example.
You will Find the Application, that the User actually wanted to open, in the Non-Interactive Sign-ins through the Correlation ID (I will not give a KQL answer since I don't know what you are trying exactly, I am referring to the Entra ID Sign In Log GUI).
As far as I know, the Authentication Broker is the Module integrated into Intune Company Portal / Microsoft Authenticator App to Enable Cross-Application SSO between Mobile Applications that use Entra ID Authentication on iOS and Android, I presume you are seeing mobile Apps attempting to use the Credentials Cached on the Device.
It is also used to Register Devices in Intune.
So to trigger it yourself you would have to use a Mobile App that has Entra ID SSO built in - Teams is a good example.
You will Find the Application, that the User actually wanted to open, in the Non-Interactive Sign-ins through the Correlation ID (I will not give a KQL answer since I don't know what you are trying exactly, I am referring to the Entra ID Sign In Log GUI).- The Microsoft authentication broker is the plugin that force the user to register MFA and meeting the MFA requirements.
- Thanks for the response! How can I understand SignInLogs related to this app then? A successful signin means that MFA was OK? While an unsuccessful refers to MFA failing? It perhaps is not so black and white.
How often should I be expecting this app to trigger? Based on your description, I would assume this app is triggered for every signin to verify/check MFA requirements?- this expected each time the user needs to satisfy the MFA requirements by claim in the token
