LoFP / legitimate automation, sdks, or custom applications that obtain tokens through the microsoft authentication broker against graph, azure ad, or device registration service may use non-browser user agents. baseline approved service principals, managed identities, and developer tooling before tuning exclusions for known automation patterns.

Techniques

• T1078
• T1539
• T1566

Sample rules

Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent

• source: elastic
• technicques:
  • T1078
  • T1539
  • T1566

Description

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates is using a user agent that is not consistent with common browser, mobile, or Windows platform authentication clients. Adversary-in-the-middle and OAuth phishing tooling often presents scripted or relayed user agents (for example Node.js, Python, or generic HTTP libraries) while still targeting first-party resources through the broker.

Detection logic

data_stream.dataset:"azure.signinlogs" and event.action:"Sign-in activity" and event.outcome:(success or Success) and 
(azure.signinlogs.properties.app_display_name:"Microsoft Authentication Broker" or azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e") and
user_agent.original:(* and not (Mozilla* or Dalvik* or *CFNetwork* or Windows-AzureAD-Authentication-Provider* or Java*ThinkPad*)) and
azure.signinlogs.properties.resource_display_name:*