cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

What exactly is the AppDisplayName "Microsoft Authentication Broker"

Tobias_Moe
Copper Contributor

‎Sep 15 2023 06:56 AM

‎Sep 15 2023 06:56 AM

What exactly is the AppDisplayName "Microsoft Authentication Broker"

Hello,

 

When reviewing failed Sign In attempts through KQL (invalid username/password), I sometimes see the AppDisplayName to be "Microsoft Authentication Broker". I have tried looking for the answer online, and it does seem to be related to some kind of authentication broker service (makes sense for the name). But I have yet to figure out what exactly it is. 

I guessed that this was perhaps the authentication app for Microsoft, but I did some testing on my own device and was unable to trigger the logs for Microsoft Authentication Broker. 

 

Has someone else any experience dealing with these? Might it be something going on in the background of MS?

Labels:
28K Views
0 Likes
5 Replies
Reply
5 Replies
eliekarkafy

‎Sep 15 2023 08:20 AM

‎Sep 15 2023 08:20 AM

Re: What exactly is the AppDisplayName "Microsoft Authentication Broker"

The Microsoft authentication broker is the plugin that force the user to register MFA and meeting the MFA requirements.
0 Likes
Reply
Tobias_Moe

‎Sep 17 2023 11:55 PM

‎Sep 17 2023 11:55 PM

Re: What exactly is the AppDisplayName "Microsoft Authentication Broker"

Thanks for the response! How can I understand SignInLogs related to this app then? A successful signin means that MFA was OK? While an unsuccessful refers to MFA failing? It perhaps is not so black and white.
How often should I be expecting this app to trigger? Based on your description, I would assume this app is triggered for every signin to verify/check MFA requirements?
0 Likes
Reply
eliekarkafy

‎Sep 18 2023 01:04 AM

‎Sep 18 2023 01:04 AM

Re: What exactly is the AppDisplayName "Microsoft Authentication Broker"

this expected each time the user needs to satisfy the MFA requirements by claim in the token
0 Likes
Reply
Tobias_Moe

‎Sep 19 2023 12:48 AM

‎Sep 19 2023 12:48 AM

Re: What exactly is the AppDisplayName "Microsoft Authentication Broker"

OK thanks. How is this done from the user perspective? Because I don't understand how username/password is being prompted from this app then. I understand it as something that is triggered in the background when MFA needs to be satisfied and is never "seen" from the user.
0 Likes
Reply
best response confirmed by Tobias_Moe (Copper Contributor)
juliansperling

‎Sep 19 2023 09:07 AM - edited ‎Sep 19 2023 09:07 AM

‎Sep 19 2023 09:07 AM - edited ‎Sep 19 2023 09:07 AM

Solution

Re: What exactly is the AppDisplayName "Microsoft Authentication Broker"

As far as I know, the Authentication Broker is the Module integrated into Intune Company Portal / Microsoft Authenticator App to Enable Cross-Application SSO between Mobile Applications that use Entra ID Authentication on iOS and Android, I presume you are seeing mobile Apps attempting to use the Credentials Cached on the Device.

It is also used to Register Devices in Intune.

So to trigger it yourself you would have to use a Mobile App that has Entra ID SSO built in - Teams is a good example.

You will Find the Application, that the User actually wanted to open, in the Non-Interactive Sign-ins through the Correlation ID (I will not give a KQL answer since I don't know what you are trying exactly, I am referring to the Entra ID Sign In Log GUI).

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Tobias_Moe (Copper Contributor)
juliansperling

‎Sep 19 2023 09:07 AM - edited ‎Sep 19 2023 09:07 AM

‎Sep 19 2023 09:07 AM - edited ‎Sep 19 2023 09:07 AM

Solution

Re: What exactly is the AppDisplayName "Microsoft Authentication Broker"

As far as I know, the Authentication Broker is the Module integrated into Intune Company Portal / Microsoft Authenticator App to Enable Cross-Application SSO between Mobile Applications that use Entra ID Authentication on iOS and Android, I presume you are seeing mobile Apps attempting to use the Credentials Cached on the Device.

It is also used to Register Devices in Intune.

So to trigger it yourself you would have to use a Mobile App that has Entra ID SSO built in - Teams is a good example.

You will Find the Application, that the User actually wanted to open, in the Non-Interactive Sign-ins through the Correlation ID (I will not give a KQL answer since I don't know what you are trying exactly, I am referring to the Entra ID Sign In Log GUI).

View solution in original post

0 Likes
Reply