Azure Entra ID Sign-In Log Bypasses: What SREs Need to Know

Security researchers at TrustedSec have disclosed four distinct Azure Entra ID sign-in log bypasses discovered between 2023 and 2025. These vulnerabilities let attackers confirm valid passwords or obtain fully functioning access tokens without generating entries in Azure sign-in logs. For SRE teams relying on these logs for intrusion detection, this is a critical blind spot.

What Are Sign-In Log Bypasses?

Azure Entra ID (formerly Azure AD) uses OAuth2 ROPC flows to authenticate users. Administrators depend on sign-in logs to detect brute-force attacks, credential stuffing, and unauthorized access. The discovered bypasses allowed authentication attempts to succeed or validate credentials while evading this logging entirely.

The four bypasses discovered:

• GraphNinja (2023-2024): Targeting a foreign tenant ID caused password validation without logging in the victim's tenant
• GraphGhost (2024-2025): Invalid Client ID values triggered post-validation failures, hiding successful password guesses
• GraphGoblin (2025): Overflowing the scope parameter with repeated values caused database insert failures, bypassing logs entirely
• Fourth bypass (2025): Details withheld, but similar impact confirmed

Why This Matters for SRE Teams

If your organization uses Azure Entra ID, you likely trust sign-in logs as your primary detection mechanism for:

• Password spray attacks
• Credential compromise
• Unauthorized access attempts

These bypasses demonstrate that critical logging can fail silently. Attackers could perform reconnaissance or gain access without triggering alerts.

Detection with KQL Queries

While Microsoft has patched these specific bypasses, similar issues may emerge. Consider augmenting your detection strategy:

SigninLogs
| where ResultType == 0
| where AuthenticationDetails has "password"
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where count_ > 10

Cross-reference sign-in logs with network telemetry and application logs. Anomalies in token usage without corresponding sign-in events warrant investigation.

Defensive Recommendations

1. Enable Conditional Access: Require MFA for all users to make stolen passwords insufficient
2. Monitor token usage: Track Graph API and resource access patterns independently of sign-in logs
3. Implement network logging: Capture authentication endpoint traffic at the network level
4. Stay current on patches: Microsoft fixed these issues, but timely patching is essential
5. Assume partial visibility: Design detection strategies that do not rely solely on any single log source

Conclusion

The Azure sign-in log bypasses revealed by TrustedSec highlight a fundamental principle: no single logging source should be fully trusted for security detection. SRE teams managing Azure environments should implement defense-in-depth monitoring and stay informed about emerging authentication vulnerabilities.

For platform teams seeking reliable AI-powered infrastructure monitoring, Akmatori provides autonomous SRE agents that correlate signals across multiple sources. Deployed on Gcore global infrastructure, Akmatori helps teams detect anomalies that single-source logging might miss.