Managed Sentinel – Alert 056
| Alert ID | MS-A056 |
| Alert Name | Login attempts using Legacy Authentication (Azure) |
| Description | This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies. Source: Github - Microsoft |
| Severity Level | Low |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Initial Access |
| Log sources | AzureActivity |
| False Positive | |
| Recommendations | Investigate the failed logins using Sentinel and see if the affected user accounts were used somewhere else in your network. Eventually reset password for impacted user accounts. |