Sep 09 2021
03:33 PM
- last edited on
Jan 14 2022
03:25 PM
by
TechCommunityAP
Sep 09 2021
03:33 PM
- last edited on
Jan 14 2022
03:25 PM
by
TechCommunityAP
Hi everyone,
recently we got some failed non-interactive logons for AADReporting for admin accounts
Anyone knows what could cause these errors?
Sep 09 2021 11:54 PM
@wvkranenburg This most likely means the 'AADReporting' application is configured to use certificate based authentication, and there's something wrong with a certificate used somewhere along the line. Assuming you know who/what is trying to sign in to the AADReporting app, I'd start with checking if the proper cert is installed.
Sep 10 2021 12:16 AM
@pvanberlothank you for taking the time to answer! As far as I am aware this AADReporting app is a first party Microsoft app, and though I can see for which users it is triggering these failed logons, in the Enterprise app properties I can not see any owners or users connected. Could it be some third party integration that uses this connection under the hood?
Is there any change of this being triggered with malicious intend?
Sep 10 2021 12:40 AM
@wvkranenburg I've not seen 'AADReporting' show up anywhere yet, but of course I don't know everything 🙂
I'd be wary, if it's a third party app or an app registration added into your tenant, and an admin is trying to sign in and you're not aware of it, for all we know it could be something malicious. It could very well be an app which uses this under the hood to report on Azure AD, it could also be integration with a SIEM solution that uses it or something like that.
If I were you, I'd check the (Graph) API permissions the app supposedly has, and take action depending on those. Imagine the app was granted the Users.ReadWrite.All permission, I'd be very suspicious if the app is named "AADReporting".
Sep 10 2021 12:47 AM
@pvanberloMe neither, thats why I am asking 😄
Indeed I was wary of it, but the only way to find this app anywhere within the Azure AD was with the ApplicationID. By name you cannot find it, and it is only in the enterprise apps, not in app registrations. In the properties it shows:
It does not have any permissions visible.
Sep 10 2021 12:50 AM
Sep 10 2021 12:58 AM
Sep 10 2021 01:00 AM