When customers authenticate to Microsoft cloud providers, their actions generate authentication occasions recorded throughout a number of logging methods.
Microsoft Entra sign-in logs and Microsoft 365 audit logs seize an identical authentication occasions however signify this vital safety knowledge utilizing completely different codecs.
Safety analysts investigating incidents regularly encounter the UserAuthenticationMethod area in Microsoft 365 sign-in occasions, which shows cryptic numeric values corresponding to 16, 272, or 33554432 with out official documentation from Microsoft explaining their which means.
This undocumented area has posed challenges for safety groups making an attempt to investigate authentication patterns, determine suspicious login actions, or assess phishing-resistant authentication adoption.
The dearth of documentation meant incident responders working in environments the place solely Microsoft 365 audit logs had been out there struggled to know what authentication strategies customers employed throughout sign-in occasions.
By systematic correlation evaluation between Microsoft Entra sign-in logs and Microsoft 365 audit logs, Sekoia analysts found that the UserAuthenticationMethod area operates as a bitfield the place every bit place represents a definite authentication methodology.
This breakthrough permits safety professionals to decode these numeric values into human-readable authentication methodology descriptions.
The analysis crew mapped every bit place to particular authentication strategies by leveraging shared correlation identifiers between the logging methods.
Microsoft 365 audit logs comprise an InterSystemsId area whereas Entra ID logs embody a correlationId area, each referencing an identical authentication occasions.
By matching occasions throughout sources, researchers correlated numeric UserAuthenticationMethod values with detailed authentication methodology descriptions present in Entra ID’s authenticationMethodDetail fields.
Decoding the Bitfield Mapping Method
The bitfield construction permits a number of authentication strategies to seem concurrently in a single numeric worth.
As an illustration, worth 272 converts to binary as 100010000, activating bit 4 representing Password Hash Sync (decimal worth 16) and bit 8 representing by way of Staged Rollout (decimal worth 256), indicating “Password Hash Sync by way of Staged Rollout” because the authentication mechanism.
The mapping encompasses 28 documented bit positions, together with Password within the cloud at bit 0 (decimal 1), Momentary Entry Cross at bit 1, Seamless SSO at bit 2, Home windows Howdy for Enterprise at bit 18 (decimal 262144), and Passkey at bit 25 (decimal 33554432).
Nevertheless, a number of bits stay unmapped together with positions 5, 7, 9-17, 22, and 26.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
