User Authenticating to Azure CLI for First Time
Platform
Data Sources
Related Blog Post
Read the full blog post about this hunt →MITRE ATT&CK
Tactics
Techniques
Threat Actors
Tags
Hunt Hypothesis
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.
User Authenticating to Azure CLI for First Time
Analytic #1This analytic looks for cases where a user authenticates to Azure CLI, for the first time within the last two days, when compared to activity over the last 90 days. This could indicate a user not typically associated with dev/cloud ops, authenticating to Azure, and could be a result of ConsentFix.
Detection Queries
let lookback = 90d;
let recent = 2d;
let historicalUsers = SigninLogs
| where TimeGenerated between (ago(lookback)..ago(recent))
| where AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
| distinct UserPrincipalName;
SigninLogs
| where TimeGenerated > ago(recent)
| where AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
| where UserPrincipalName !in (historicalUsers)
| extend
City = tostring(LocationDetails.city),
State = tostring(LocationDetails.state),
Country = tostring(LocationDetails.countryOrRegion),
OS = tostring(DeviceDetail.operatingSystem),
Browser = tostring(DeviceDetail.browser),
IsCompliant = tostring(DeviceDetail.isCompliant),
IsManagedDevice = tostring(DeviceDetail.isManaged)
| project
TimeGenerated,
UserPrincipalName,
IPAddress,
Country,
City,
State,
OS,
Browser,
IsCompliant,
IsManagedDevice,
RiskLevelDuringSignIn,
RiskLevelAggregated,
AuthenticationRequirement,
ConditionalAccessStatus,
ResourceDisplayName,
UserAgent,
CorrelationId
| sort by TimeGenerated desc
Triage Steps
- Verify the user's role and job function - determine if Azure CLI usage is expected for their role (e.g., developers, cloud engineers)
- Check if this is genuinely the user's first Azure CLI authentication or if historical data is incomplete
- Review the authentication context - examine browser, device compliance, and location details for anomalies
- Look for signs of phishing or social engineering in the user's recent email or web browsing activity
- Check if the user reported any suspicious prompts or instructions to authenticate to Microsoft services
- Review what resources were accessed immediately after the first Azure CLI authentication
- Correlate with other hunts for ConsentFix indicators such as token protection status switches or localhost redirects in proxy logs
- Check if multiple non-technical users show first-time Azure CLI authentications in the same timeframe, indicating a campaign
- If confirmed suspicious, interview the user to understand why they authenticated to Azure CLI and revoke any active tokens
True Positive Example
{
"TimeGenerated": "17/12/2025, 12:57:59.000",
"UserPrincipalName": "hunter1@redacted.onmicrosoft.com",
"IPAddress": "146.72.180.26",
"Country": "GB",
"City": "Tower Hamlets",
"State": "Greater London",
"OS": "Windows10",
"Browser": "Edge 143.0.0",
"IsCompliant": true,
"IsManagedDevice": true,
"RiskLevelDuringSignIn": "none",
"RiskLevelAggregated": "none",
"AuthenticationRequirement": "singleFactorAuthentication",
"ConditionalAccessStatus": "success",
"ResourceDisplayName": "Azure Resource Manager",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0 OS/10.0.26100"
}First-time Azure CLI authentication detected for user hunter1 from Tower Hamlets, GB. The user authenticated via Edge browser on a compliant Windows 10 device with single-factor authentication. While the authentication appears legitimate on the surface (compliant device, standard browser), this user has no history of Azure CLI usage in the past 90 days. This pattern is consistent with ConsentFix phishing where non-technical users are tricked into authenticating to Azure CLI. The successful conditional access despite being a first-time CLI user warrants investigation to determine if the user was phished or if this represents legitimate new Azure development activity.