ThreatIntelligence-IncidentResponse

Investigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents

2 min read
Share X / Twitter LinkedIn Reddit WhatsApp 


 {
  "TenantId": "855f09b2-b284-45cb-af48-6d9ee72abb2b",
  "SourceSystem": "Azure AD",
  "TimeGenerated": "2026-05-08T15:28:55.5845975Z",
  "OperationName": "Sign-in activity",
  "OperationVersion": "1.0",
  "Category": "NonInteractiveUserSignInLogs",
  "ResultType": "0",
  "ResultSignature": "SUCCESS",
  "ResultDescription": "",
  "DurationMs": "0",
  "CorrelationId": "432ea15c-55fa-4132-ae78-cfcfb4405a96",
  "ResourceGroup": "Microsoft.aadiam",
  "Identity": "Matt Graeber",
  "Level": "",
  "Location": "US",
  "AADTenantId": "adcb5820-70a1-4272-b79c-32f2bba44ddc",
  "Agent": {
    "agentType": "agenticAppInstance",
    "parentAppId": "beddadf7-4f3b-4e9b-8443-0b0cf777446e",
    "agentSubjectType": "notAgentic"
  },
  "AlternateSignInName": "",
  "AppDisplayName": "Agent001",
  "AppId": "8cd0a10f-0be8-413a-9bf2-f44bc568d1e4",
  "AppliedEventListeners": null,
  "AppOwnerTenantId": "",
  "AuthenticationContextClassReferences": [],
  "AuthenticationDetails": {
    "authenticationStepDateTime": "2026-05-08T11:26:45.5640057-04:00",
    "authenticationMethod": "Previously satisfied",
    "authenticationMethodDetail": "",
    "succeeded": true,
    "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token",
    "authenticationStepRequirement": ""
  },
  "AuthenticationMethodsUsed": "",
  "AuthenticationProcessingDetails": [
    {
      "key": "Legacy TLS (TLS 1.0, 1.1, 3DES)",
      "value": "False"
    },
    {
      "key": "Oauth Scope Info",
      "value": "["Group.Read.All","Mail.ReadWrite","Mail.Send","MailboxSettings.ReadWrite","User.Read","openid","profile","email"]"
    },
    {
      "key": "Is Legacy Store Used",
      "value": "False"
    },
    {
      "key": "Is CAE Token",
      "value": "False"
    }
  ],
  "AuthenticationProtocol": "none",
  "AuthenticationRequirement": "multiFactorAuthentication",
  "AuthenticationRequirementPolicies": {
    "requirementProvider": "user",
    "detail": "Per-user MFA"
  },
  "AuthenticatorAppLocation": "",
  "AutonomousSystemNumber": "14618",
  "ClientAppUsed": "Browser",
  "ClientCredentialType": "federatedIdentityCredential",
  "ConditionalAccessAudiences": [
    "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
    "00000002-0000-0ff1-ce00-000000000000",
    "00000003-0000-0ff1-ce00-000000000000",
    "00000002-0000-0000-c000-000000000000"
  ],
  "ConditionalAccessPolicies": [],
  "ConditionalAccessPoliciesV2": null,
  "ConditionalAccessStatus": "notApplied",
  "CreatedDateTime": "2026-05-08T15:26:45.5640057Z",
  "CrossTenantAccessType": "none",
  "DeviceDetail": {
    "deviceId": "",
    "operatingSystem": "MacOs",
    "browser": "",
    "isCompliant": false,
    "isManaged": false
  },
  "FederatedCredentialId": "1a418fdb-5c5e-4f99-b98c-098d13e240ee",
  "GlobalSecureAccessIpAddress": "",
  "HomeTenantId": "adcb5820-70a1-4272-b79c-32f2bba44ddc",
  "HomeTenantName": "",
  "Id": "2ffe7f1b-6ef8-425a-88f0-b6abcf4c5500",
  "IncomingTokenType": "none",
  "IPAddress": "51.3.97.221",
  "IsInteractive": "false",
  "IsRisky": null,
  "IsTenantRestricted": "false",
  "IsThroughGlobalSecureAccess": "false",
  "LocationDetails": {
    "city": "Ashburn",
    "state": "Virginia",
    "countryOrRegion": "US",
    "geoCoordinates": {
      "latitude": 39.043701171875,
      "longitude": -77.47419738769531
    }
  },
  "MfaDetail": "",
  "NetworkLocationDetails": {
    "networkType": "namedNetwork",
    "networkNames": [
      "USA"
    ]
  },
  "OriginalRequestId": "2ffe7f1b-6ef8-425a-88f0-b6abcf4c5500",
  "OriginalTransferMethod": "none",
  "ProcessingTimeInMs": "175",
  "ResourceDisplayName": "Microsoft Graph",
  "ResourceIdentity": "00000003-0000-0000-c000-000000000000",
  "ResourceOwnerTenantId": "f8cdef31-a31e-4b4a-93e4-5f571e91255a",
  "ResourceServicePrincipalId": "4e881284-c6b3-489e-b241-ec8f35c65dd6",
  "ResourceTenantId": "adcb5820-70a1-4272-b79c-32f2bba44ddc",
  "RiskDetail": "none",
  "RiskEventTypes": [],
  "RiskEventTypes_V2": "",
  "RiskLevelAggregated": "none",
  "RiskLevelDuringSignIn": "none",
  "RiskState": "none",
  "ServicePrincipalId": "8cd0a10f-0be8-413a-9bf2-f44bc568d1e4",
  "SessionId": "003066ba-089b-fe8a-f68e-78764ba250c4",
  "SessionLifetimePolicies": [],
  "SignInEventTypes": ["nonInteractiveUser"],
  "SignInIdentifierType": "",
  "TokenProtectionStatusDetails": {
    "signInSessionStatus": "none",
    "signInSessionStatusCode": 1002
  },
  "Status": {
    "errorCode": 0,
    "additionalDetails": "MFA requirement satisfied by claim in the token"
  },
  "TokenIssuerName": "",
  "TokenIssuerType": "AzureAD",
  "UniqueTokenIdentifier": "G3_-L_huWkKI8Larz0xVAA",
  "UserAgent": "Mozilla/5.0 (Macintosh; macOS 26.4.1; en-US) PowerShell/7.6.1",
  "UserDisplayName": "Matt Graeber",
  "UserId": "986b1d1b-d0b4-4ee6-bb5b-02e58d437abe",
  "UserPrincipalName": "matt@ContosoCorp.onmicrosoft.com",
  "UserType": "Member",
  "Type": "AADNonInteractiveUserSignInLogs"
}



Source link

Share X / Twitter LinkedIn Reddit WhatsApp

Related Articles

All ThreatIntelligence-IncidentResponse →