Azure AD emergency access account (also known as ‘break glass’ accounts) monitoring is not a new thing and there is lot of guidance how to manage & monitor the account(s) available in the web. I have written earlier how to implement monitoring with Azure Sentinel or Azure Monitor Alert feature, you can find it from here – Monitor Azure AD Break-Glass Account(s) Activity – Sam’s Corner (samilamppu.com).

Microsoft guidance – how to manage emergency access accounts – Manage emergency access admin accounts – Azure AD | Microsoft Docs

Background

I have a client who doesn’t have Azure Sentinel in place and is rarely using Azure services. But, in this specific environment, there is Microsoft Cloud App Security (MCAS) in the game which can be used to monitor activities of Azure AD emergency accounts.

Cloud App Security Activity Policies

MCAS has multiple several policy categories for different purposes. Activity policy description from docs.microsoft.com:

An Activity policy is an API-based policy that enables you to monitor your organization’s activities in the cloud. The policy takes into account over 20 file metadata filters including device type and location. Based on the policy results, notifications can be generated and users can be suspended from the cloud app. 

This means that emergency account login can be retrieved from the sources that are connected to MCAS. In this specific case, Azure AD and Azure are integrated as applications to the MCAS instance.

Failed Login Policy

With MCAS, the same logic can be followed than I wrote last year and I have created two rules in MCAS:

  • Emergency Account Successful login
  • Emergency Account Failed login

Why two different rules? Because, the successful one is much more crucial than the failed one. When creating the policy pay attention that MCAS has 251 failed logon activity types, select them all.

Parameters to configure:

  • User: select your emergency account
  • Activity type: ‘Failed log on’ – select all 251 activity types to cover all integrations

If you want to use Activity Log search functionality you can find URI for the query from the Github.

<insert link here>

Successful Login Policy

Successful login policy follows same principle than failed one, only difference is ‘Activity type’, which is set to ‘Log on’ instead of ‘failed log on’.

The Alerts

If everything works as expected, at the end of the you should receive alerts when one of the actions (success/failed login) is detected.

URIs for Success & Failed Logins

Here are URIs that can be used on the browser just changing ‘fetanet.portal.cloudappsecurity.com’ matching your own domain name and MCAS url. With the query you can filter all activity types and continue by adding more filters by your need.

Failed login

https://fetanet.portal.cloudappsecurity.com/#/audits/?activity.eventType=eq(EVENT_CATEGORY_FAILED_LOGIN,20940:EVENT_ACTIVITY_FAILED_LOGIN:FailedLogon,20940:EVENT_ACTIVITY_FAILED_LOGIN:AdfsFailedLogon,20940:EVENT_ACTIVITY_FAILED_LOGIN:CertificateFailedLogon,11161:EVENT_AAD_LOGIN_FAILED::kerberos,11161:EVENT_AAD_LOGIN_FAILED:AdminConsentController:adminconsent,11161:EVENT_AAD_LOGIN_FAILED:CertAuth:certauth,11161:EVENT_AAD_LOGIN_FAILED:Consent:Deny,11161:EVENT_AAD_LOGIN_FAILED:Consent:Grant,11161:EVENT_AAD_LOGIN_FAILED:Consent:Set,11161:EVENT_AAD_LOGIN_FAILED:DebugMode:Set,11161:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth,11161:EVENT_AAD_LOGIN_FAILED:DeviceAuth:ReprocessTls,11161:EVENT_AAD_LOGIN_FAILED:Federation:oauth2,11161:EVENT_AAD_LOGIN_FAILED:Federation:oauth2claimsprovider,11161:EVENT_AAD_LOGIN_FAILED:Federation:oauth2ief,11161:EVENT_AAD_LOGIN_FAILED:Federation:oauth2msa,11161:EVENT_AAD_LOGIN_FAILED:KeyDataService:GetKeyData,11161:EVENT_AAD_LOGIN_FAILED:Login,11161:EVENT_AAD_LOGIN_FAILED:Login:login,11161:EVENT_AAD_LOGIN_FAILED:Login:reprocess,11161:EVENT_AAD_LOGIN_FAILED:Login:resume,11161:EVENT_AAD_LOGIN_FAILED:MessagePrompt:MessagePrompt,11161:EVENT_AAD_LOGIN_FAILED:OAuth2:ApproveSession,11161:EVENT_AAD_LOGIN_FAILED:OAuth2:Authorize,11161:EVENT_AAD_LOGIN_FAILED:OAuth2:DeviceAuth,11161:EVENT_AAD_LOGIN_FAILED:OAuth2:Token,11161:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:federation,11161:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:postsrfactionhandler,11161:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:extsts,11161:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:process,11161:EVENT_AAD_LOGIN_FAILED:PIA:PIAProcessAuth,11161:EVENT_AAD_LOGIN_FAILED:PoPBinding:PoPBind,11161:EVENT_AAD_LOGIN_FAILED:SAS:BeginAuth,11161:EVENT_AAD_LOGIN_FAILED:SAS:EndAuth,11161:EVENT_AAD_LOGIN_FAILED:SAS:ProcessAuth,11161:EVENT_AAD_LOGIN_FAILED:SSPR:end,11161:EVENT_AAD_LOGIN_FAILED:Saml2:processrequest,11161:EVENT_AAD_LOGIN_FAILED:SidToName:SidToName,11161:EVENT_AAD_LOGIN_FAILED:UserInfo:Index,11161:EVENT_AAD_LOGIN_FAILED:WebApp:BulkAADJTokenPoll,11161:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:edgeCrossTrust,11161:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:usernamemixed,11161:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:windowstransport,11161:EVENT_AAD_LOGIN_FAILED:WsFederation:wsfederation,11161:EVENT_AAD_LOGIN_FAILED:bind:Bind,11161:EVENT_AAD_LOGIN_FAILED:bind:BindComplete,11161:EVENT_AAD_LOGIN_FAILED:cmsi:Cmsi,11161:EVENT_AAD_LOGIN_FAILED:extservice:cpim,11161:EVENT_AAD_LOGIN_FAILED:kmsi:kmsi,11161:EVENT_AAD_LOGIN_FAILED:selfservicesignupconsent:guestconsentset,11161:EVENT_O365_GENERIC_ORGID_USER_FAIL_LOGIN:ForeignRealmIndexLogonCookieCopyUsingDAToken,11161:EVENT_O365_GENERIC_ORGID_USER_FAIL_LOGIN:ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken,11161:EVENT_O365_GENERIC_ORGID_USER_FAIL_LOGIN:PasswordLogonCookieCopyUsingDAToken,11161:EVENT_O365_GENERIC_ORGID_USER_FAIL_LOGIN:PasswordLogonInitialAuthUsingADFSFederatedToken,11161:EVENT_O365_GENERIC_ORGID_USER_FAIL_LOGIN:PasswordLogonSilentReAuthUsingDAToken,11161:EVENT_O365_USER_FAIL_PASS_LOGIN:PasswordLogonInitialAuthUsingPassword,11522:EVENT_AAD_LOGIN_FAILED:Consent:Deny,11522:EVENT_AAD_LOGIN_FAILED:Consent:Grant,11522:EVENT_AAD_LOGIN_FAILED:Consent:Set,11522:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth,11522:EVENT_AAD_LOGIN_FAILED:DeviceAuth:ReprocessTls,11522:EVENT_AAD_LOGIN_FAILED:Federation:oauth2,11522:EVENT_AAD_LOGIN_FAILED:Federation:oauth2claimsprovider,11522:EVENT_AAD_LOGIN_FAILED:Login,11522:EVENT_AAD_LOGIN_FAILED:Login:login,11522:EVENT_AAD_LOGIN_FAILED:Login:reprocess,11522:EVENT_AAD_LOGIN_FAILED:Login:resume,11522:EVENT_AAD_LOGIN_FAILED:MessagePrompt:MessagePrompt,11522:EVENT_AAD_LOGIN_FAILED:OAuth2:ApproveSession,11522:EVENT_AAD_LOGIN_FAILED:OAuth2:Authorize,11522:EVENT_AAD_LOGIN_FAILED:OAuth2:DeviceAuth,11522:EVENT_AAD_LOGIN_FAILED:OAuth2:Token,11522:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:federation,11522:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:postsrfactionhandler,11522:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:process,11522:EVENT_AAD_LOGIN_FAILED:SAS:BeginAuth,11522:EVENT_AAD_LOGIN_FAILED:SAS:EndAuth,11522:EVENT_AAD_LOGIN_FAILED:SAS:ProcessAuth,11522:EVENT_AAD_LOGIN_FAILED:SSPR:end,11522:EVENT_AAD_LOGIN_FAILED:Saml2:processrequest,11522:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:edgeCrossTrust,11522:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:usernamemixed,11522:EVENT_AAD_LOGIN_FAILED:WsFederation:wsfederation,11522:EVENT_AAD_LOGIN_FAILED:bind:Bind,11522:EVENT_AAD_LOGIN_FAILED:bind:BindComplete,11522:EVENT_AAD_LOGIN_FAILED:kmsi:kmsi,11599:EVENT_AWS_LOGIN_FAILED:ConsoleLogin,11627:EVENT_DROPBOX_LOGIN_FAILED:login_fail,12260:EVENT_AAD_LOGIN_FAILED:CertAuth:certauth,12260:EVENT_AAD_LOGIN_FAILED:Consent:Deny,12260:EVENT_AAD_LOGIN_FAILED:Consent:Grant,12260:EVENT_AAD_LOGIN_FAILED:Consent:Set,12260:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth,12260:EVENT_AAD_LOGIN_FAILED:DeviceAuth:ReprocessTls,12260:EVENT_AAD_LOGIN_FAILED:Federation:oauth2,12260:EVENT_AAD_LOGIN_FAILED:Federation:oauth2claimsprovider,12260:EVENT_AAD_LOGIN_FAILED:Federation:oauth2msa,12260:EVENT_AAD_LOGIN_FAILED:Login:login,12260:EVENT_AAD_LOGIN_FAILED:Login:reprocess,12260:EVENT_AAD_LOGIN_FAILED:Login:resume,12260:EVENT_AAD_LOGIN_FAILED:MessagePrompt:MessagePrompt,12260:EVENT_AAD_LOGIN_FAILED:OAuth2:ApproveSession,12260:EVENT_AAD_LOGIN_FAILED:OAuth2:Authorize,12260:EVENT_AAD_LOGIN_FAILED:OAuth2:DeviceAuth,12260:EVENT_AAD_LOGIN_FAILED:OAuth2:Token,12260:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:federation,12260:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:process,12260:EVENT_AAD_LOGIN_FAILED:PoPBinding:PoPBind,12260:EVENT_AAD_LOGIN_FAILED:SAS:BeginAuth,12260:EVENT_AAD_LOGIN_FAILED:SAS:EndAuth,12260:EVENT_AAD_LOGIN_FAILED:SAS:ProcessAuth,12260:EVENT_AAD_LOGIN_FAILED:SSPR:end,12260:EVENT_AAD_LOGIN_FAILED:Saml2:processrequest,12260:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:edgeCrossTrust,12260:EVENT_AAD_LOGIN_FAILED:WsFederation:wsfederation,12260:EVENT_AAD_LOGIN_FAILED:bind:Bind,12260:EVENT_AAD_LOGIN_FAILED:bind:BindComplete,12260:EVENT_AAD_LOGIN_FAILED:kmsi:kmsi,20595:EVENT_AAD_LOGIN_FAILED:Consent:Deny,20595:EVENT_AAD_LOGIN_FAILED:Consent:Grant,20595:EVENT_AAD_LOGIN_FAILED:Consent:Set,20595:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth,20595:EVENT_AAD_LOGIN_FAILED:DeviceAuth:ReprocessTls,20595:EVENT_AAD_LOGIN_FAILED:Federation:oauth2,20595:EVENT_AAD_LOGIN_FAILED:Federation:oauth2claimsprovider,20595:EVENT_AAD_LOGIN_FAILED:Login:login,20595:EVENT_AAD_LOGIN_FAILED:Login:reprocess,20595:EVENT_AAD_LOGIN_FAILED:Login:resume,20595:EVENT_AAD_LOGIN_FAILED:MessagePrompt:MessagePrompt,20595:EVENT_AAD_LOGIN_FAILED:OAuth2:ApproveSession,20595:EVENT_AAD_LOGIN_FAILED:OAuth2:Authorize,20595:EVENT_AAD_LOGIN_FAILED:OAuth2:DeviceAuth,20595:EVENT_AAD_LOGIN_FAILED:OAuth2:Token,20595:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:federation,20595:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:process,20595:EVENT_AAD_LOGIN_FAILED:SAS:BeginAuth,20595:EVENT_AAD_LOGIN_FAILED:SAS:EndAuth,20595:EVENT_AAD_LOGIN_FAILED:SAS:ProcessAuth,20595:EVENT_AAD_LOGIN_FAILED:SSPR:end,20595:EVENT_AAD_LOGIN_FAILED:Saml2:processrequest,20595:EVENT_AAD_LOGIN_FAILED:WsFederation:wsfederation,20595:EVENT_AAD_LOGIN_FAILED:bind:Bind,20595:EVENT_AAD_LOGIN_FAILED:bind:BindComplete,20595:EVENT_AAD_LOGIN_FAILED:kmsi:kmsi,20595:EVENT_ADALLOM_LOGIN_FAILURE:login%20failure,20892:EVENT_AAD_LOGIN_FAILED:AdminConsentController:adminconsent,20892:EVENT_AAD_LOGIN_FAILED:CertAuth:certauth,20892:EVENT_AAD_LOGIN_FAILED:Consent:Deny,20892:EVENT_AAD_LOGIN_FAILED:Consent:Grant,20892:EVENT_AAD_LOGIN_FAILED:Consent:Set,20892:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth,20892:EVENT_AAD_LOGIN_FAILED:DeviceAuth:ReprocessTls,20892:EVENT_AAD_LOGIN_FAILED:Federation:oauth2,20892:EVENT_AAD_LOGIN_FAILED:Federation:oauth2claimsprovider,20892:EVENT_AAD_LOGIN_FAILED:Federation:oauth2ief,20892:EVENT_AAD_LOGIN_FAILED:Federation:oauth2msa,20892:EVENT_AAD_LOGIN_FAILED:Login,20892:EVENT_AAD_LOGIN_FAILED:Login:login,20892:EVENT_AAD_LOGIN_FAILED:Login:reprocess,20892:EVENT_AAD_LOGIN_FAILED:Login:resume,20892:EVENT_AAD_LOGIN_FAILED:MessagePrompt:MessagePrompt,20892:EVENT_AAD_LOGIN_FAILED:OAuth2:ApproveSession,20892:EVENT_AAD_LOGIN_FAILED:OAuth2:Authorize,20892:EVENT_AAD_LOGIN_FAILED:OAuth2:DeviceAuth,20892:EVENT_AAD_LOGIN_FAILED:OAuth2:Token,20892:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:federation,20892:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:postsrfactionhandler,20892:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:extsts,20892:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:process,20892:EVENT_AAD_LOGIN_FAILED:PoPBinding:PoPBind,20892:EVENT_AAD_LOGIN_FAILED:SAS:BeginAuth,20892:EVENT_AAD_LOGIN_FAILED:SAS:EndAuth,20892:EVENT_AAD_LOGIN_FAILED:SAS:ProcessAuth,20892:EVENT_AAD_LOGIN_FAILED:SSPR:end,20892:EVENT_AAD_LOGIN_FAILED:Saml2:processrequest,20892:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:edgeCrossTrust,20892:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:usernamemixed,20892:EVENT_AAD_LOGIN_FAILED:WsFederation:wsfederation,20892:EVENT_AAD_LOGIN_FAILED:bind:Bind,20892:EVENT_AAD_LOGIN_FAILED:bind:BindComplete,20892:EVENT_AAD_LOGIN_FAILED:kmsi:kmsi,20893:EVENT_AAD_LOGIN_FAILED:AdminConsentController:adminconsent,20893:EVENT_AAD_LOGIN_FAILED:Consent:Deny,20893:EVENT_AAD_LOGIN_FAILED:Consent:Grant,20893:EVENT_AAD_LOGIN_FAILED:Consent:Set,20893:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth,20893:EVENT_AAD_LOGIN_FAILED:DeviceAuth:ReprocessTls,20893:EVENT_AAD_LOGIN_FAILED:Federation:oauth2,20893:EVENT_AAD_LOGIN_FAILED:Federation:oauth2claimsprovider,20893:EVENT_AAD_LOGIN_FAILED:KeyDataService:GetKeyData,20893:EVENT_AAD_LOGIN_FAILED:Login,20893:EVENT_AAD_LOGIN_FAILED:Login:login,20893:EVENT_AAD_LOGIN_FAILED:Login:reprocess,20893:EVENT_AAD_LOGIN_FAILED:Login:resume,20893:EVENT_AAD_LOGIN_FAILED:MessagePrompt:MessagePrompt,20893:EVENT_AAD_LOGIN_FAILED:OAuth2:ApproveSession,20893:EVENT_AAD_LOGIN_FAILED:OAuth2:Authorize,20893:EVENT_AAD_LOGIN_FAILED:OAuth2:DeviceAuth,20893:EVENT_AAD_LOGIN_FAILED:OAuth2:Token,20893:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:federation,20893:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:postsrfactionhandler,20893:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:extsts,20893:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:process,20893:EVENT_AAD_LOGIN_FAILED:PoPBinding:PoPBind,20893:EVENT_AAD_LOGIN_FAILED:SAS:BeginAuth,20893:EVENT_AAD_LOGIN_FAILED:SAS:EndAuth,20893:EVENT_AAD_LOGIN_FAILED:SAS:ProcessAuth,20893:EVENT_AAD_LOGIN_FAILED:SSPR:end,20893:EVENT_AAD_LOGIN_FAILED:Saml2:processrequest,20893:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:edgeCrossTrust,20893:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:usernamemixed,20893:EVENT_AAD_LOGIN_FAILED:WsFederation:wsfederation,20893:EVENT_AAD_LOGIN_FAILED:bind:Bind,20893:EVENT_AAD_LOGIN_FAILED:bind:BindComplete,20893:EVENT_AAD_LOGIN_FAILED:kmsi:kmsi,20940:EVENT_ACTIVITY_FAILED_LOGIN:LdapCleartext,26324:EVENT_AAD_LOGIN_FAILED:Consent:Deny,26324:EVENT_AAD_LOGIN_FAILED:Consent:Grant,26324:EVENT_AAD_LOGIN_FAILED:Consent:Set,26324:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth,26324:EVENT_AAD_LOGIN_FAILED:DeviceAuth:ReprocessTls,26324:EVENT_AAD_LOGIN_FAILED:Federation:oauth2,26324:EVENT_AAD_LOGIN_FAILED:Federation:oauth2claimsprovider,26324:EVENT_AAD_LOGIN_FAILED:Federation:oauth2ief,26324:EVENT_AAD_LOGIN_FAILED:Federation:oauth2msa,26324:EVENT_AAD_LOGIN_FAILED:Login:login,26324:EVENT_AAD_LOGIN_FAILED:Login:reprocess,26324:EVENT_AAD_LOGIN_FAILED:Login:resume,26324:EVENT_AAD_LOGIN_FAILED:MessagePrompt:MessagePrompt,26324:EVENT_AAD_LOGIN_FAILED:OAuth2:ApproveSession,26324:EVENT_AAD_LOGIN_FAILED:OAuth2:Authorize,26324:EVENT_AAD_LOGIN_FAILED:OAuth2:Token,26324:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:federation,26324:EVENT_AAD_LOGIN_FAILED:OrgIdWsFederation:postsrfactionhandler,26324:EVENT_AAD_LOGIN_FAILED:OrgIdWsTrust2:process,26324:EVENT_AAD_LOGIN_FAILED:SAS:BeginAuth,26324:EVENT_AAD_LOGIN_FAILED:SAS:EndAuth,26324:EVENT_AAD_LOGIN_FAILED:SAS:ProcessAuth,26324:EVENT_AAD_LOGIN_FAILED:SSPR:end,26324:EVENT_AAD_LOGIN_FAILED:Saml2:processrequest,26324:EVENT_AAD_LOGIN_FAILED:WindowsAuthenticationController:edgeCrossTrust,26324:EVENT_AAD_LOGIN_FAILED:WsFederation:wsfederation,26324:EVENT_AAD_LOGIN_FAILED:bind:Bind,26324:EVENT_AAD_LOGIN_FAILED:bind:BindComplete,26324:EVENT_AAD_LOGIN_FAILED:kmsi:kmsi,28375:EVENT_AAD_LOGIN_FAILED:AdminConsentController:adminconsent,28375:EVENT_AAD_LOGIN_FAILED:Consent:Deny,28375:EVENT_AAD_LOGIN_FAILED:Consent:Grant,28375:EVENT_AAD_LOGIN_FAILED:Consent:Set,28375:EVENT_AAD_LOGIN_FAILED:DeviceAuth:PKeyAuth)&entity=eq(o:(role:i:1,adv:b:false),o:(id:341b8aeb-da54-42e4-8327-e58bc015d0b7,saas:i:11161,inst:i:0))

Successful login

https://fetanet.portal.cloudappsecurity.com/#/audits/?activity.eventType=eq(EVENT_CATEGORY_LOGIN,20940:EVENT_ACTIVITY_LOGIN:AdfsLogon,11161:EVENT_AAD_LOGIN::kerberos,11161:EVENT_AAD_LOGIN:AdminConsentController:adminconsent,11161:EVENT_AAD_LOGIN:CertAuth:certauth,11161:EVENT_AAD_LOGIN:Consent:Grant,11161:EVENT_AAD_LOGIN:Consent:Set,11161:EVENT_AAD_LOGIN:DebugMode:Enable,11161:EVENT_AAD_LOGIN:DebugMode:Set,11161:EVENT_AAD_LOGIN:DeviceAuth:PKeyAuth,11161:EVENT_AAD_LOGIN:DeviceAuth:ReprocessTls,11161:EVENT_AAD_LOGIN:Federation:oauth2,11161:EVENT_AAD_LOGIN:Federation:oauth2claimsprovider,11161:EVENT_AAD_LOGIN:Federation:oauth2ief,11161:EVENT_AAD_LOGIN:Federation:oauth2msa,11161:EVENT_AAD_LOGIN:KeyDataService:GetKeyData,11161:EVENT_AAD_LOGIN:Login,11161:EVENT_AAD_LOGIN:Login:login,11161:EVENT_AAD_LOGIN:Login:reprocess,11161:EVENT_AAD_LOGIN:Login:resume,11161:EVENT_AAD_LOGIN:MessagePrompt:MessagePrompt,11161:EVENT_AAD_LOGIN:OAuth2:ApproveSession,11161:EVENT_AAD_LOGIN:OAuth2:Authorize,11161:EVENT_AAD_LOGIN:OAuth2:DeviceAuth,11161:EVENT_AAD_LOGIN:OAuth2:Token,11161:EVENT_AAD_LOGIN:OrgIdWsFederation:federation,11161:EVENT_AAD_LOGIN:OrgIdWsFederation:postsrfactionhandler,11161:EVENT_AAD_LOGIN:OrgIdWsTrust2:extsts,11161:EVENT_AAD_LOGIN:OrgIdWsTrust2:process,11161:EVENT_AAD_LOGIN:PIA:PIAProcessAuth,11161:EVENT_AAD_LOGIN:PoPBinding:PoPBind,11161:EVENT_AAD_LOGIN:SAS:BeginAuth,11161:EVENT_AAD_LOGIN:SAS:EndAuth,11161:EVENT_AAD_LOGIN:SAS:ProcessAuth,11161:EVENT_AAD_LOGIN:SSPR:end,11161:EVENT_AAD_LOGIN:Saml2:processrequest,11161:EVENT_AAD_LOGIN:SidToName:SidToName,11161:EVENT_AAD_LOGIN:TokenBinding:TokenBindingReprocess,11161:EVENT_AAD_LOGIN:UserInfo:Index,11161:EVENT_AAD_LOGIN:WebApp:BulkAADJTokenPoll,11161:EVENT_AAD_LOGIN:WindowsAuthenticationController:sso,11161:EVENT_AAD_LOGIN:WindowsAuthenticationController:usernamemixed,11161:EVENT_AAD_LOGIN:WindowsAuthenticationController:windowstransport,11161:EVENT_AAD_LOGIN:WsFederation:wsfederation,11161:EVENT_AAD_LOGIN:bind:Bind,11161:EVENT_AAD_LOGIN:bind:BindComplete,11161:EVENT_AAD_LOGIN:cmsi:Cmsi,11161:EVENT_AAD_LOGIN:extservice:cpim,11161:EVENT_AAD_LOGIN:kmsi:kmsi,11161:EVENT_AAD_LOGIN:selfservicesignupconsent:guestconsentset,11161:EVENT_LOGIN_DETECTED:LOGIN,11161:EVENT_LOGIN_DETECTED:SSO%20Logon,11161:EVENT_O365_GENERIC_ORGID_USER_LOGIN:ForeignRealmIndexLogonCookieCopyUsingDAToken,11161:EVENT_O365_GENERIC_ORGID_USER_LOGIN:ForeignRealmIndexLogonCookieCopyUsingSha1RememberMyPassword,11161:EVENT_O365_GENERIC_ORGID_USER_LOGIN:ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken,11161:EVENT_O365_GENERIC_ORGID_USER_LOGIN:ForeignRealmIndexLogonInitialAuthUsingSAML20PostSimpleSign,11161:EVENT_O365_GENERIC_ORGID_USER_LOGIN:PasswordLogonCookieCopyUsingDAToken,11161:EVENT_O365_GENERIC_ORGID_USER_LOGIN:PasswordLogonInitialAuthUsingADFSFederatedToken,11161:EVENT_O365_GENERIC_ORGID_USER_LOGIN:PasswordLogonSilentReAuthUsingDAToken,11161:EVENT_O365_USER_PASS_LOGIN:PasswordLogonInitialAuthUsingPassword,11161:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,11394:EVENT_LOGIN_DETECTED:LOGIN,11394:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,11522:EVENT_AAD_LOGIN:Consent:Grant,11522:EVENT_AAD_LOGIN:Consent:Set,11522:EVENT_AAD_LOGIN:DebugMode:Set,11522:EVENT_AAD_LOGIN:DeviceAuth:PKeyAuth,11522:EVENT_AAD_LOGIN:DeviceAuth:ReprocessTls,11522:EVENT_AAD_LOGIN:Federation:oauth2,11522:EVENT_AAD_LOGIN:Federation:oauth2claimsprovider,11522:EVENT_AAD_LOGIN:KeyDataService:GetKeyData,11522:EVENT_AAD_LOGIN:Login,11522:EVENT_AAD_LOGIN:Login:login,11522:EVENT_AAD_LOGIN:Login:reprocess,11522:EVENT_AAD_LOGIN:Login:resume,11522:EVENT_AAD_LOGIN:MessagePrompt:MessagePrompt,11522:EVENT_AAD_LOGIN:OAuth2:ApproveSession,11522:EVENT_AAD_LOGIN:OAuth2:Authorize,11522:EVENT_AAD_LOGIN:OAuth2:DeviceAuth,11522:EVENT_AAD_LOGIN:OAuth2:Token,11522:EVENT_AAD_LOGIN:OrgIdWsFederation:federation,11522:EVENT_AAD_LOGIN:OrgIdWsFederation:postsrfactionhandler,11522:EVENT_AAD_LOGIN:OrgIdWsTrust2:extsts,11522:EVENT_AAD_LOGIN:OrgIdWsTrust2:process,11522:EVENT_AAD_LOGIN:PIA:PIAProcessAuth,11522:EVENT_AAD_LOGIN:PoPBinding:PoPBind,11522:EVENT_AAD_LOGIN:SAS:BeginAuth,11522:EVENT_AAD_LOGIN:SAS:EndAuth,11522:EVENT_AAD_LOGIN:SAS:ProcessAuth,11522:EVENT_AAD_LOGIN:SSPR:end,11522:EVENT_AAD_LOGIN:Saml2:processrequest,11522:EVENT_AAD_LOGIN:WindowsAuthenticationController:usernamemixed,11522:EVENT_AAD_LOGIN:WsFederation:wsfederation,11522:EVENT_AAD_LOGIN:bind:Bind,11522:EVENT_AAD_LOGIN:bind:BindComplete,11522:EVENT_AAD_LOGIN:kmsi:kmsi,11522:EVENT_LOGIN_DETECTED:LOGIN,11522:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,11599:EVENT_AWS_LOGIN_SUCCESS:ConsoleLogin,11599:EVENT_LOGIN_DETECTED:LOGIN,11627:EVENT_DROPBOX_LOGIN:login_success,11627:EVENT_LOGIN_DETECTED:LOGIN,12260:EVENT_AAD_LOGIN:Consent:Grant,12260:EVENT_AAD_LOGIN:Consent:Set,12260:EVENT_AAD_LOGIN:DebugMode:Set,12260:EVENT_AAD_LOGIN:DeviceAuth:PKeyAuth,12260:EVENT_AAD_LOGIN:DeviceAuth:ReprocessTls,12260:EVENT_AAD_LOGIN:Federation:oauth2,12260:EVENT_AAD_LOGIN:Federation:oauth2claimsprovider,12260:EVENT_AAD_LOGIN:Federation:oauth2msa,12260:EVENT_AAD_LOGIN:KeyDataService:GetKeyData,12260:EVENT_AAD_LOGIN:Login,12260:EVENT_AAD_LOGIN:Login:login,12260:EVENT_AAD_LOGIN:Login:reprocess,12260:EVENT_AAD_LOGIN:Login:resume,12260:EVENT_AAD_LOGIN:MessagePrompt:MessagePrompt,12260:EVENT_AAD_LOGIN:OAuth2:ApproveSession,12260:EVENT_AAD_LOGIN:OAuth2:Authorize,12260:EVENT_AAD_LOGIN:OAuth2:DeviceAuth,12260:EVENT_AAD_LOGIN:OAuth2:Token,12260:EVENT_AAD_LOGIN:OrgIdWsFederation:federation,12260:EVENT_AAD_LOGIN:OrgIdWsFederation:postsrfactionhandler,12260:EVENT_AAD_LOGIN:OrgIdWsTrust2:extsts,12260:EVENT_AAD_LOGIN:OrgIdWsTrust2:process,12260:EVENT_AAD_LOGIN:PIA:PIAProcessAuth,12260:EVENT_AAD_LOGIN:PoPBinding:PoPBind,12260:EVENT_AAD_LOGIN:SAS:BeginAuth,12260:EVENT_AAD_LOGIN:SAS:EndAuth,12260:EVENT_AAD_LOGIN:SAS:ProcessAuth,12260:EVENT_AAD_LOGIN:SSPR:end,12260:EVENT_AAD_LOGIN:Saml2:processrequest,12260:EVENT_AAD_LOGIN:TokenBinding:TokenBindingReprocess,12260:EVENT_AAD_LOGIN:WindowsAuthenticationController:usernamemixed,12260:EVENT_AAD_LOGIN:WsFederation:wsfederation,12260:EVENT_AAD_LOGIN:bind:Bind,12260:EVENT_AAD_LOGIN:bind:BindComplete,12260:EVENT_AAD_LOGIN:cmsi:Cmsi,12260:EVENT_AAD_LOGIN:kmsi:kmsi,12260:EVENT_LOGIN_DETECTED:LOGIN,12260:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,15600:EVENT_LOGIN_DETECTED:LOGIN,15600:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,20595:EVENT_AAD_LOGIN:Consent:Grant,20595:EVENT_AAD_LOGIN:Consent:Set,20595:EVENT_AAD_LOGIN:DeviceAuth:PKeyAuth,20595:EVENT_AAD_LOGIN:DeviceAuth:ReprocessTls,20595:EVENT_AAD_LOGIN:Federation:oauth2,20595:EVENT_AAD_LOGIN:Federation:oauth2claimsprovider,20595:EVENT_AAD_LOGIN:KeyDataService:GetKeyData,20595:EVENT_AAD_LOGIN:Login:login,20595:EVENT_AAD_LOGIN:Login:reprocess,20595:EVENT_AAD_LOGIN:Login:resume,20595:EVENT_AAD_LOGIN:MessagePrompt:MessagePrompt,20595:EVENT_AAD_LOGIN:OAuth2:ApproveSession,20595:EVENT_AAD_LOGIN:OAuth2:Authorize,20595:EVENT_AAD_LOGIN:OAuth2:DeviceAuth,20595:EVENT_AAD_LOGIN:OAuth2:Token,20595:EVENT_AAD_LOGIN:OrgIdWsFederation:federation,20595:EVENT_AAD_LOGIN:OrgIdWsTrust2:process,20595:EVENT_AAD_LOGIN:PoPBinding:PoPBind,20595:EVENT_AAD_LOGIN:SAS:BeginAuth,20595:EVENT_AAD_LOGIN:SAS:EndAuth,20595:EVENT_AAD_LOGIN:SAS:ProcessAuth,20595:EVENT_AAD_LOGIN:SSPR:end,20595:EVENT_AAD_LOGIN:Saml2:processrequest,20595:EVENT_AAD_LOGIN:TokenBinding:TokenBindingReprocess,20595:EVENT_AAD_LOGIN:WindowsAuthenticationController:usernamemixed,20595:EVENT_AAD_LOGIN:WsFederation:wsfederation,20595:EVENT_AAD_LOGIN:bind:Bind,20595:EVENT_AAD_LOGIN:kmsi:kmsi,20595:EVENT_ADALLOM_LOGIN:login,20595:EVENT_LOGIN_DETECTED:LOGIN,20595:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,20892:EVENT_AAD_LOGIN:Consent:Grant,20892:EVENT_AAD_LOGIN:Consent:Set,20892:EVENT_AAD_LOGIN:DebugMode:Set,20892:EVENT_AAD_LOGIN:DeviceAuth:PKeyAuth,20892:EVENT_AAD_LOGIN:DeviceAuth:ReprocessTls,20892:EVENT_AAD_LOGIN:Federation:oauth2,20892:EVENT_AAD_LOGIN:Federation:oauth2claimsprovider,20892:EVENT_AAD_LOGIN:Federation:oauth2ief,20892:EVENT_AAD_LOGIN:Federation:oauth2msa,20892:EVENT_AAD_LOGIN:KeyDataService:GetKeyData,20892:EVENT_AAD_LOGIN:Login,20892:EVENT_AAD_LOGIN:Login:login,20892:EVENT_AAD_LOGIN:Login:reprocess,20892:EVENT_AAD_LOGIN:Login:resume,20892:EVENT_AAD_LOGIN:MessagePrompt:MessagePrompt,20892:EVENT_AAD_LOGIN:OAuth2:ApproveSession,20892:EVENT_AAD_LOGIN:OAuth2:Authorize,20892:EVENT_AAD_LOGIN:OAuth2:DeviceAuth,20892:EVENT_AAD_LOGIN:OAuth2:Token,20892:EVENT_AAD_LOGIN:OrgIdWsFederation:federation,20892:EVENT_AAD_LOGIN:OrgIdWsFederation:postsrfactionhandler,20892:EVENT_AAD_LOGIN:OrgIdWsTrust2:extsts,20892:EVENT_AAD_LOGIN:OrgIdWsTrust2:process,20892:EVENT_AAD_LOGIN:PoPBinding:PoPBind,20892:EVENT_AAD_LOGIN:SAS:BeginAuth,20892:EVENT_AAD_LOGIN:SAS:EndAuth,20892:EVENT_AAD_LOGIN:SAS:ProcessAuth,20892:EVENT_AAD_LOGIN:SSPR:end,20892:EVENT_AAD_LOGIN:Saml2:processrequest,20892:EVENT_AAD_LOGIN:SidToName:SidToName,20892:EVENT_AAD_LOGIN:UserInfo:Index,20892:EVENT_AAD_LOGIN:WebApp:BulkAADJTokenPoll,20892:EVENT_AAD_LOGIN:WindowsAuthenticationController:usernamemixed,20892:EVENT_AAD_LOGIN:WsFederation:wsfederation,20892:EVENT_AAD_LOGIN:bind:Bind,20892:EVENT_AAD_LOGIN:bind:BindComplete,20892:EVENT_AAD_LOGIN:kmsi:kmsi,20892:EVENT_LOGIN_DETECTED:LOGIN,20892:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,20893:EVENT_AAD_LOGIN:Consent:Grant,20893:EVENT_AAD_LOGIN:Consent:Set,20893:EVENT_AAD_LOGIN:DebugMode:Set,20893:EVENT_AAD_LOGIN:DeviceAuth:PKeyAuth,20893:EVENT_AAD_LOGIN:DeviceAuth:ReprocessTls,20893:EVENT_AAD_LOGIN:Federation:oauth2,20893:EVENT_AAD_LOGIN:Federation:oauth2claimsprovider,20893:EVENT_AAD_LOGIN:KeyDataService:GetKeyData,20893:EVENT_AAD_LOGIN:Login,20893:EVENT_AAD_LOGIN:Login:login,20893:EVENT_AAD_LOGIN:Login:reprocess,20893:EVENT_AAD_LOGIN:Login:resume,20893:EVENT_AAD_LOGIN:MessagePrompt:MessagePrompt,20893:EVENT_AAD_LOGIN:OAuth2:ApproveSession,20893:EVENT_AAD_LOGIN:OAuth2:Authorize,20893:EVENT_AAD_LOGIN:OAuth2:DeviceAuth,20893:EVENT_AAD_LOGIN:OAuth2:Token,20893:EVENT_AAD_LOGIN:OrgIdWsFederation:federation,20893:EVENT_AAD_LOGIN:OrgIdWsFederation:postsrfactionhandler,20893:EVENT_AAD_LOGIN:OrgIdWsTrust2:extsts,20893:EVENT_AAD_LOGIN:OrgIdWsTrust2:process,20893:EVENT_AAD_LOGIN:PoPBinding:PoPBind,20893:EVENT_AAD_LOGIN:SAS:BeginAuth,20893:EVENT_AAD_LOGIN:SAS:EndAuth,20893:EVENT_AAD_LOGIN:SAS:ProcessAuth,20893:EVENT_AAD_LOGIN:SSPR:end,20893:EVENT_AAD_LOGIN:Saml2:processrequest,20893:EVENT_AAD_LOGIN:SidToName:SidToName,20893:EVENT_AAD_LOGIN:UserInfo:Index,20893:EVENT_AAD_LOGIN:WindowsAuthenticationController:usernamemixed,20893:EVENT_AAD_LOGIN:WsFederation:wsfederation,20893:EVENT_AAD_LOGIN:bind:Bind,20893:EVENT_AAD_LOGIN:bind:BindComplete,20893:EVENT_AAD_LOGIN:kmsi:kmsi,20893:EVENT_LOGIN_DETECTED:LOGIN,20893:EVENT_O365_OUTLOOK_MAILBOX_LOGIN:MailboxLogin,20893:EVENT_SUBAPP_LOGIN_DETECTED:LOGIN,20940:EVENT_ACTIVITY_LOGIN:CertificateInteractiveLogon,20940:EVENT_ACTIVITY_LOGIN:InteractiveLogon)&entity=eq(o:(role:i:1,adv:b:false),o:(id:341b8aeb-da54-42e4-8327-e58bc015d0b7,saas:i:11161,inst:i:0))

From the search you can easily create new policy if needed. Pictures from another tenant where I used the URI above to find activities.

Summary

Event though many organizations have emergency accounts monitored by other solutions (Azure Sentinel, Azure Monitor or 3rd party SIEM) some organizations don’t have such solutions in place and MCAS might help in those situations.

Hope this helps!