Forum Discussion

Tobias_Moe's avatar
Tobias_Moe
Copper Contributor
Sep 15, 2023
Solved

What exactly is the AppDisplayName "Microsoft Authentication Broker"

Hello,   When reviewing failed Sign In attempts through KQL (invalid username/password), I sometimes see the AppDisplayName to be "Microsoft Authentication Broker". I have tried looking for the ans...
investigation
KQL
siem
  • juliansperling's avatar
    juliansperling
    Sep 19, 2023

    As far as I know, the Authentication Broker is the Module integrated into Intune Company Portal / Microsoft Authenticator App to Enable Cross-Application SSO between Mobile Applications that use Entra ID Authentication on iOS and Android, I presume you are seeing mobile Apps attempting to use the Credentials Cached on the Device.

    It is also used to Register Devices in Intune.

    So to trigger it yourself you would have to use a Mobile App that has Entra ID SSO built in - Teams is a good example.

    You will Find the Application, that the User actually wanted to open, in the Non-Interactive Sign-ins through the Correlation ID (I will not give a KQL answer since I don't know what you are trying exactly, I am referring to the Entra ID Sign In Log GUI).

Tobias_Moe's avatar
Tobias_Moe
Copper Contributor
Sep 18, 2023
Thanks for the response! How can I understand SignInLogs related to this app then? A successful signin means that MFA was OK? While an unsuccessful refers to MFA failing? It perhaps is not so black and white.
How often should I be expecting this app to trigger? Based on your description, I would assume this app is triggered for every signin to verify/check MFA requirements?
elieelkarkafi's avatar
elieelkarkafi
MVP
Sep 18, 2023
this expected each time the user needs to satisfy the MFA requirements by claim in the token

Resources