Skip to content
Tech News
← Back to articles

Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found

2026-03-20 | original
read original get Azure Security Monitoring Tool → more articles
Why This Matters

The discovery of multiple Azure Entra ID sign-in log bypasses highlights ongoing security challenges in cloud authentication systems. These vulnerabilities allow malicious actors to validate credentials and obtain tokens without detection, emphasizing the need for improved logging and security measures in cloud services. Staying aware of such exploits is crucial for organizations to safeguard their identities and data in the evolving cybersecurity landscape.

Key Takeaways

Invisible password sprays. Invisible logins. Full tokens returned.

Nyxgeek here. It's 2026 and I've got two more Azure Entra ID sign-in log bypasses to share with you. Don't get too excited…these bypasses were recently fixed, but I think it's important that people know.

By sending a specially crafted login attempt to the Azure authentication endpoint, it was possible to retrieve valid tokens without the activity appearing in the Entra ID sign-in logs. This is critical logging…logging that administrators across the world rely on to detect intrusions…logging that could be made optional.

Today I will walk you through the third and fourth Azure sign-in log bypasses that I have found in the last three years. I will also look at how sign-in log bypasses can be detected using KQL queries. By knowing about Microsoft's past mistakes, we can try to prepare for their future failures.

Background

Since 2023, I've uncovered four Azure Entra ID sign-in log bypasses. This means I've found four completely different ways to validate an Azure account's password without it showing up in the Azure Entra ID sign-in logs. While the first two of these merely confirmed whether a password was valid without generating a log, my latest logging bypasses returned fully functioning tokens.

Previously, I had written about GraphNinja and GraphGhost -- two logging bypasses where a user could identify valid passwords without generating any 'successful' events in the sign-in logs. Neither were overly complicated. You can find blog posts describing them in detail here and here.

Name Reported Fixed Description GraphNinja 08/2023 05/2024 Validate password without creating a log by specifying a foreign tenant ID as endpoint GraphGhost 12/2024 04/2025 Validate password without creating a successful login event by supplying an invalid value for specific logon parameters, causing overall auth flow to fail after performing credential validation

Real quick -- a point of clarification on the names: while I've used Graph- prefix to designate these different bypasses, perhaps it would have been more appropriate to prefix them Entra-, as they were not limited to only Graph sign-ins.

In each of these, the logging being bypassed is for the Azure Entra ID sign-in logs. Logon method is via an HTTP POST to the Entra ID token endpoint, login.microsoftonline.com, using the OAuth2 ROPC flow, with the Graph API as our intended resource/scope. We submit a username and password, an Application ID, and a target resource/scope, and we'll get a bearer token or refresh token for the Graph API in return.

... continue reading

Explore topics: azure entra id sign-in logs graphninja graphghost
Related:
Microsoft: March Windows updates break Teams, OneDrive sign-ins
Native Launches With Security Control Plane for Multicloud
Grab Your Betrayal-Themed Popcorn Buckets, Because Microsoft Is Threatening to Sue OpenAI
Federal Cyber Experts Called Microsoft's Cloud 'a Pile of Shit', Yet Approved It Anyway
Enterprise AI agents keep operating from different versions of reality — Microsoft says Fabric IQ is the fix

© 2026 GoKawiil

About | Editorial Policy | Contact