Using Azure Sentinel to enable Insights for Legacy/Modern Auth usage

Iron Contributor

One element that I have noticed in the last month is Insights under the Monitoring and have been using this to check how many sign-ins are coming in thru either Modern or Legacy Authentication - this appears to be powered by Azure Sentinel?

There is a Template for Legacy Auth, and it's pretty straight forward to clone this and search for Modern Auth usage, so from this it was interesting to see the breakdown of the protocols in use under the Legacy Auth - if I'm reading this right it's highlighting that IMAP & SMTP seem to be the protocols being abused the most via Password Spray attacks and these would be the two biggest targets for blocking Legacy Auth?

Has anyone else seen similar results?

5 Replies

@Valon_Kolica@Chris Boehm, @Ofer_Shezaf,

If possible I'm also trying to understand how/why the results don't quite add up in some circumstances?

When I highlighted the success/failure of IMAP or SMTP for say 30 mins this is OK, but at larger ranges this sometimes appears to be a bit skewed - What is it in the logs that actually determines the Legacy/Modern element & protocol?


At the moment the results of the Protocol + Success/Failure highlight individual instances.

It would be great to get this rolled up with specific Users highlighted instead and make it much easier to understand how to go about blocking/turning off Legacy on almost a per user basis & the potential impact to the business on this.


@David Caddick 


I'm personally not exactly aware where this is being populated for you, although to answer your question this is Azure Active Directory Audit logs:


The Service filter allows you to select from a dropdown of the following services:

  • All
  • Access Reviews
  • Account Provisioning
  • Application SSO
  • Authentication Methods
  • B2C
  • Conditional Access
  • Core Directory
  • Entitlement Management
  • Identity Protection
  • Invited Users
  • PIM
  • Self-service Group Management
  • Self-service Passord Management
  • Terms of Use


With that being said, you can ingest Azure Active Directory Audit logs into Azure Sentinel, then manipulate the data or even automate with playbooks to create a specific action. With playbooks you could even tie an event together(Office 365, Firewall Logs, AIP logs, Etc), if X application is used 100 times with 100 Legacy auth occurring,  then you're wanting to notify your auth team or security team to look into this. Even more so you could create a ServiceNow/Jira ticket to have tracking in a system you're possibly already using. On top  of that, you could just track it with an alert, if that alert gets more then X traffic in 24 hour period you're wanting another alert to kick off a playbook(like an SMS message or automation to block an port of that application while your team is investigating the issue while at the same time notifying the company that this application has been blocked and the X team is investigating an issue).  All automated with playbooks with no user interaction required.


You were asking about why the data was skewed, i'm wondering if this is purely on the way Azure AD is tracking or the application itself isn't even getting through which is showing no activity. Modern auth shows much better tracking, legacy will typically show nothing if it's blocked via a proxy or the communication just doesn't even get back for a failure. Reason being it's not even getting to the service in the first place. I would personally advise reaching out to the Azure AD team about auditing to get a deeper investigation on why your logging seems off.


Hope this helped :)



@David Caddick 


One more follow up, we're in the process of releasing UEBA - this might meet a lot of your needs. Stay turned as we have a lot coming out built into Azure Sentinel by GA.


User analytics

With native integration of machine learning (ML), and user analytics, Azure Sentinel can help detect threats quickly. Azure Sentinel seamlessly integrates with Azure Advanced Threat Protection to analyze user behavior and prioritize which users you should investigate first, based on their alerts, and suspicious activity patterns across Azure Sentinel and Microsoft 365.

User analytics

@Chris Boehm I was referring to this feature in AAD under Monitoring

This weekend I have taken the Kusto Query and used/messed with it in Sentinel and can now see that it appears to be simply tracking an "App" listed as "Other Clients: ****" and based on this determines that it's a Legacy Authentication.


What I'm almost surprised about is that there is no data point in the raw data of a failed or successful login that indicates if it is or isn't Legacy or Modern Auth in play? Given the focus that MS is rightly placing on deprecating Legacy Auth this seems like a missed opportunity to make it easier/simpler to get off Legacy ASAP?