Sep 15 2023 06:56 AM
Hello,
When reviewing failed Sign In attempts through KQL (invalid username/password), I sometimes see the AppDisplayName to be "Microsoft Authentication Broker". I have tried looking for the answer online, and it does seem to be related to some kind of authentication broker service (makes sense for the name). But I have yet to figure out what exactly it is.
I guessed that this was perhaps the authentication app for Microsoft, but I did some testing on my own device and was unable to trigger the logs for Microsoft Authentication Broker.
Has someone else any experience dealing with these? Might it be something going on in the background of MS?
Sep 15 2023 08:20 AM
Sep 17 2023 11:55 PM
Sep 18 2023 01:04 AM
Sep 19 2023 12:48 AM
Sep 19 2023 09:07 AM - edited Sep 19 2023 09:07 AM
SolutionAs far as I know, the Authentication Broker is the Module integrated into Intune Company Portal / Microsoft Authenticator App to Enable Cross-Application SSO between Mobile Applications that use Entra ID Authentication on iOS and Android, I presume you are seeing mobile Apps attempting to use the Credentials Cached on the Device.
It is also used to Register Devices in Intune.
So to trigger it yourself you would have to use a Mobile App that has Entra ID SSO built in - Teams is a good example.
You will Find the Application, that the User actually wanted to open, in the Non-Interactive Sign-ins through the Correlation ID (I will not give a KQL answer since I don't know what you are trying exactly, I am referring to the Entra ID Sign In Log GUI).
Sep 19 2023 09:07 AM - edited Sep 19 2023 09:07 AM
SolutionAs far as I know, the Authentication Broker is the Module integrated into Intune Company Portal / Microsoft Authenticator App to Enable Cross-Application SSO between Mobile Applications that use Entra ID Authentication on iOS and Android, I presume you are seeing mobile Apps attempting to use the Credentials Cached on the Device.
It is also used to Register Devices in Intune.
So to trigger it yourself you would have to use a Mobile App that has Entra ID SSO built in - Teams is a good example.
You will Find the Application, that the User actually wanted to open, in the Non-Interactive Sign-ins through the Correlation ID (I will not give a KQL answer since I don't know what you are trying exactly, I am referring to the Entra ID Sign In Log GUI).