Sekoia.io decoded the opaque numeric UserAuthenticationMethod field in Microsoft 365 audit logs as a bitfield where each bit maps to a specific primary-capable authentication method by correlating Microsoft 365 audit logs with Microsoft Entra sign-in logs. The findings help investigators translate numeric values (e.g., 272, 33554704) into human-readable methods like Password Hash Sync, Staged Rollout, and Passkey, and highlight unmapped bits for community validation. #UserAuthenticationMethod #Sekoia.io
Keypoints
- Sekoia.io discovered that the Microsoft 365 audit log field UserAuthenticationMethod is a bitfield where each bit denotes a distinct primary authentication method.
- Correlation between Microsoft 365 audit logs (InterSystemsId) and Microsoft Entra sign-in logs (correlationId) allowed mapping numeric values to authentication methods using fields like authenticationMethodDetail.
- Multiple bits can be set simultaneously, so values like 272 represent combined methods (e.g., Password Hash Sync + Staged Rollout).
- The bitfield appears to include only primary-capable authentication methods; secondary-only factors like Authenticator push are not represented.
- Some bits remain unmapped (bits 5, 7, 9-17, 22, 26), and the team invites community contributions and validation.
- Sekoia validated mappings through test sign-ins and provided an SOL query example to correlate events and identify authentication method mappings in investigations.
- Limitations include missing documentation from Microsoft and evolving authentication methods that may introduce new bit positions over time.
MITRE Techniques
- [T1110] Brute Force – Not directly mentioned or used; article focuses on decoding authentication method bitfield rather than describing credential access techniques. Quote: ‘…this bitfield appears to only include authentication methods that can serve as primary authentication.’
- [T1078] Valid Accounts – Authentication methods mapping helps identify use of valid account authentication flows by revealing primary methods used. Quote: ‘…identify authentication methods during incident investigations…’
- [T1556] Modify Authentication Process – Mapping staged rollout and authentication variants aids in detecting changes to authentication mechanisms. Quote: ‘…track staged rollout progress…’
Indicators of Compromise
- [Numeric Fields] UserAuthenticationMethod values in Microsoft 365 audit logs – examples: 272 (Password Hash Sync + Staged Rollout), 33554704 (Password Hash Sync + Staged Rollout + Passkey)
- [Correlation Identifiers] Correlation IDs used to link M365 and Entra logs – example fields: InterSystemsId (Microsoft 365), correlationId (Entra ID)
- [Log Record Types / RequestType] Event contexts for sign-in steps – examples: office365.record_type == 15 (AzureActiveDirectoryStsLogon), RequestType values like Login:login and SAS:ProcessAuth
Read more: https://blog.sekoia.io/userauthenticationmethod-microsoft-365-decode/