When users authenticate to Microsoft cloud services, their activities generate authentication events recorded across multiple logging systems. Both Microsoft Entra sign-in logs and Microsoft 365 audit logs capture these authentication events but represent this critical security data using different formats.
Security analysts investigating incidents frequently encounter the `UserAuthenticationMethod` field in Microsoft 365 sign-in events, which displays cryptic numeric values such as 16, 272, or 33554432. The absence of official documentation from Microsoft explaining these values has posed challenges for security teams attempting to analyze authentication patterns, identify suspicious login activities, or assess the adoption of phishing-resistant authentication methods.
The lack of documentation meant that incident responders working in environments where only Microsoft 365 audit logs were available struggled to understand what authentication methods users employed during sign-in events.
Through systematic correlation analysis between Microsoft Entra sign-in logs and Microsoft 365 audit logs, Sekoia analysts discovered that the `UserAuthenticationMethod` field operates as a bitfield, where each bit position represents a distinct authentication method. This breakthrough enables security professionals to decode these numeric values into human-readable authentication method descriptions.
The research team mapped each bit position to specific authentication methods by leveraging shared correlation identifiers between the logging systems. Microsoft 365 audit logs contain an `InterSystemsId` field, while Entra ID logs include a `correlationId` field, both referencing identical authentication events. By matching events across sources, researchers correlated numeric `UserAuthenticationMethod` values with detailed authentication method descriptions found in Entra ID’s `authenticationMethodDetail` fields.
Decoding the Bitfield Mapping Technique
The bitfield structure allows multiple authentication methods to appear simultaneously in one numeric value. For instance, the value 272 converts to binary as 100010000, activating bit 4 representing Password Hash Sync (decimal value 16) and bit 8 representing via Staged Rollout (decimal value 256), indicating “Password Hash Sync via Staged Rollout” as the authentication mechanism.
The mapping encompasses 28 documented bit positions, including:
– Password in the cloud at bit 0 (decimal 1)
– Temporary Access Pass at bit 1
– Seamless SSO at bit 2
– Windows Hello for Business at bit 18 (decimal 262144)
– Passkey at bit 25 (decimal 33554432)
However, several bits remain unmapped, including positions 5, 7, 9-17, 22, and 26.
This discovery is significant for security teams, as it provides a method to interpret previously opaque data within Microsoft 365 audit logs. By understanding the specific authentication methods used during sign-in events, organizations can enhance their security monitoring, detect unauthorized access attempts more effectively, and ensure compliance with security policies.
Moreover, this bitfield mapping technique allows for a more granular analysis of authentication trends within an organization. Security analysts can now identify which authentication methods are most commonly used, assess the adoption rates of more secure authentication mechanisms, and pinpoint potential vulnerabilities in the authentication process.
For example, if an organization observes a high prevalence of less secure authentication methods, such as password-only logins, it can take proactive measures to encourage the adoption of multi-factor authentication or other more secure methods. Conversely, if certain secure authentication methods are underutilized, the organization can investigate potential barriers to their adoption and address them accordingly.
Furthermore, the ability to decode the `UserAuthenticationMethod` field enhances incident response capabilities. In the event of a security incident, analysts can quickly determine the authentication methods used during suspicious sign-in events, providing valuable context for the investigation. This information can help in identifying the attack vectors used by adversaries and in implementing measures to prevent similar incidents in the future.
It’s also worth noting that this bitfield mapping technique can be integrated into automated security monitoring tools. By incorporating the decoding process into these tools, organizations can automate the analysis of authentication methods, enabling real-time detection of anomalies and potential security threats.
In conclusion, the discovery of the bitfield mapping technique for the `UserAuthenticationMethod` field in Microsoft 365 audit logs represents a significant advancement in the field of cybersecurity. It provides security professionals with a powerful tool to decode and interpret authentication data, enhancing their ability to monitor, analyze, and respond to authentication-related security events. As organizations continue to rely on Microsoft cloud services, understanding and leveraging this technique will be crucial in maintaining robust security postures and protecting sensitive information.
