Back to BEC Investigation
Sign-In Audit
Analyze Azure AD sign-in logs for authentication anomalies — impossible travel, MFA fatigue, legacy protocol abuse, token replay, and more. Builds a behavioral baseline per user and flags deviations. Connects directly to Microsoft Graph with no API credits required.
M365 Permissions
AuditLog.Read.All
Directory.Read.All
Connection
Direct Microsoft Graph
$0Credits
Free — no API credits used
License
Entra ID P1 / P2 required
Usage
Single user audit
dfir-cli bec signin-audit --user admin@contoso.com
Batch auditing
# Audit multiple users from a file dfir-cli bec signin-audit --batch targets.txt
Custom time window
# Audit the last 7 days instead of the default 30 dfir-cli bec signin-audit --user admin@contoso.com --days 7 # Extend to 90 days for a deeper investigation dfir-cli bec signin-audit --user admin@contoso.com --days 90
Advanced options
# Include non-interactive and service principal sign-ins dfir-cli bec signin-audit --user admin@contoso.com \ --include-non-interactive \ --include-service-principal # Only show high/critical anomalies dfir-cli bec signin-audit --user admin@contoso.com --risk-threshold high
Baseline tuning
# Use a 7-day baseline window instead of the default 14 dfir-cli bec signin-audit --user admin@contoso.com --baseline-days 7
Output formats
# JSON output dfir-cli bec signin-audit --user admin@contoso.com --json # JSONL for piping to other tools dfir-cli bec signin-audit --batch targets.txt -o jsonl # CSV for spreadsheet import dfir-cli bec signin-audit --user admin@contoso.com -o csv # Quiet mode — exit code only, no output dfir-cli bec signin-audit --user admin@contoso.com -q
Concurrency tuning
# Increase concurrency for batch scans dfir-cli bec signin-audit --batch targets.txt --concurrency 20
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
| --user | string | — | Target user UPN to audit (e.g. user@contoso.com). |
| --batch | string | — | Path to a text file with one UPN per line for batch auditing. |
| --days | int | 30 | Number of days of sign-in history to analyze. |
| --include-non-interactive | bool | false | Include non-interactive sign-ins (token refreshes, background auth). |
| --include-service-principal | bool | false | Include service principal / managed identity sign-ins. |
| --risk-threshold | string | low | Minimum risk level to display: "low", "medium", "high", or "critical". |
| --baseline-days | int | 14 | Number of days to use for building the user behavior baseline. |
| --concurrency | int | 10 | Number of users to audit in parallel (batch mode). |
| --json | bool | false | Output results as JSON. |
| -o | string | table | Output format: "table", "json", "jsonl", or "csv". |
| -q | bool | false | Quiet mode — suppress all output, communicate via exit code only. |
Detection Capabilities
The audit engine builds a behavioral baseline from the --baseline-days window, then evaluates every sign-in event against the following anomaly detectors.
| Detection | Description |
|---|---|
| Impossible travel | Two sign-ins from geographically distant locations in a time window that makes physical travel impossible. |
| Legacy protocol abuse | Sign-ins using legacy authentication protocols (IMAP, POP3, SMTP AUTH) that bypass MFA. |
| MFA fatigue | Repeated MFA prompt failures followed by a successful authentication — indicative of push-notification fatigue attacks. |
| Token replay | Same token used from multiple IP addresses or user agents, suggesting stolen session tokens. |
| New device / location | Sign-in from a device or location never seen in the user's baseline period. |
| Suspicious user agents | Sign-ins from known attacker toolkits, legacy user agents, or anomalous browser strings. |
| Off-hours access | Sign-ins outside the user's established working hours pattern based on the baseline period. |
Exit Codes
Use exit codes for CI/CD pipelines or scripted workflows. Combine with -q for silent operation.
| Code | Meaning |
|---|---|
| 0 | Clean — no anomalies detected. |
| 2 | High or critical anomalies detected. |
| 3 | Medium anomalies detected (no high/critical). |
Important Notes
- This command connects directly to Microsoft Graph using your registered Azure AD application. No data is sent to DFIR Suite servers, and no API credits are consumed.
- Requires
AuditLog.Read.AllandDirectory.Read.Allapplication permissions in your Azure AD app registration. - Sign-in log access requires an Entra ID P1 or P2 license on the tenant. Without it, the Microsoft Graph sign-in logs endpoint returns empty results.
- Run
dfir-cli bec authbefore your first audit to authenticate with your Azure AD application.