Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AADReporting failed non-interactive logins

Copper Contributor

Hi everyone,

 

recently we got some failed non-interactive logons for AADReporting for admin accounts

wvkranenburg_0-1631226700551.png

 

Anyone knows what could cause these errors?

8 Replies

@wvkranenburg This most likely means the 'AADReporting' application is configured to use certificate based authentication, and there's something wrong with a certificate used somewhere along the line. Assuming you know who/what is trying to sign in to the AADReporting app, I'd start with checking if the proper cert is installed.

@pvanberlothank you for taking the time to answer! As far as I am aware this AADReporting app is a first party Microsoft app, and though I can see for which users it is triggering these failed logons, in the Enterprise app properties I can not see any owners or users connected. Could it be some third party integration that uses this connection under the hood?

Is there any change of this being triggered with malicious intend?

@wvkranenburg I've not seen 'AADReporting' show up anywhere yet, but of course I don't know everything :)

 

I'd be wary, if it's a third party app or an app registration added into your tenant, and an admin is trying to sign in and you're not aware of it, for all we know it could be something malicious. It could very well be an app which uses this under the hood to report on Azure AD, it could also be integration with a SIEM solution that uses it or something like that. 

 

If I were you, I'd check the (Graph) API permissions the app supposedly has, and take action depending on those. Imagine the app was granted the Users.ReadWrite.All permission, I'd be very suspicious if the app is named "AADReporting". 

 

 

@pvanberloMe neither, thats why I am asking :D

 

Indeed I was wary of it, but the only way to find this app anywhere within the Azure AD was with the ApplicationID. By name you cannot find it, and it is only in the enterprise apps, not in app registrations. In the properties it shows:

wvkranenburg_0-1631259903143.png

It does not have any permissions visible.

 

 

AADReporting is the type of application API for Microsoft Graph in which detect the sign-in attempts for the developers which has experiencing authentication issues , The portal is having issues getting an authentication token. The experience rendered may be degraded. Additional information from the call to get a token: Extension: Microsoft_Azure_ActivityLog Resource: microsoft.graph Details: AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client]
OK - so just had another look, yes - it's listed for me too, and is under the 'Microsoft applications' category. So nothing to worry about from that perspective :)
Am I understanding you correctly that it is an internal MS portal has issues getting a token, or should I look for a third party graph API app having troubles?
Thanks for checking!