Sep 09 2021 03:33 PM
Sep 09 2021 11:54 PM
@wvkranenburg This most likely means the 'AADReporting' application is configured to use certificate based authentication, and there's something wrong with a certificate used somewhere along the line. Assuming you know who/what is trying to sign in to the AADReporting app, I'd start with checking if the proper cert is installed.
Sep 10 2021 12:16 AM
@pvanberlothank you for taking the time to answer! As far as I am aware this AADReporting app is a first party Microsoft app, and though I can see for which users it is triggering these failed logons, in the Enterprise app properties I can not see any owners or users connected. Could it be some third party integration that uses this connection under the hood?
Is there any change of this being triggered with malicious intend?
Sep 10 2021 12:40 AM
@wvkranenburg I've not seen 'AADReporting' show up anywhere yet, but of course I don't know everything :)
I'd be wary, if it's a third party app or an app registration added into your tenant, and an admin is trying to sign in and you're not aware of it, for all we know it could be something malicious. It could very well be an app which uses this under the hood to report on Azure AD, it could also be integration with a SIEM solution that uses it or something like that.
If I were you, I'd check the (Graph) API permissions the app supposedly has, and take action depending on those. Imagine the app was granted the Users.ReadWrite.All permission, I'd be very suspicious if the app is named "AADReporting".
Sep 10 2021 12:47 AM
@pvanberloMe neither, thats why I am asking :D
Indeed I was wary of it, but the only way to find this app anywhere within the Azure AD was with the ApplicationID. By name you cannot find it, and it is only in the enterprise apps, not in app registrations. In the properties it shows:
It does not have any permissions visible.
Sep 10 2021 12:50 AM
Sep 10 2021 12:58 AM
Sep 10 2021 01:00 AM