{"time": "2023-10-27T16:17:21.8966993Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "900941", "resultSignature": "None", "resultDescription": "Other", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "9fe56529-68f8-4b75-9736-bebccfb9d900", "createdDateTime": "2023-10-27T16:14:15.0050389+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 900941, "failureReason": "Other", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.756160736083984, "longitude": -73.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "9fe56529-68f8-4b75-9736-bebccfb9d900", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 575, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T16:14:15.0050389+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": false, "authenticationStepResultDetail": "Other", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}, {"authenticationStepDateTime": "2023-10-27T16:14:14+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA successfully completed", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 1698423254124, "RequestSequence": 1698423242832}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "KWXln_hodUuXNr68z7nZAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T16:16:45.6132370Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "900941", "resultSignature": "None", "resultDescription": "Other", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "9fe56529-68f8-4b75-9736-bebccfb9d900", "createdDateTime": "2023-10-27T16:14:15.0050389+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 900941, "failureReason": "Other", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.756160736083984, "longitude": -73.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "9fe56529-68f8-4b75-9736-bebccfb9d900", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 575, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T16:14:15.0050389+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": false, "authenticationStepResultDetail": "Other", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}, {"authenticationStepDateTime": "2023-10-27T16:14:15.0050389+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA completed in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "KWXln_hodUuXNr68z7nZAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T16:16:09.1982188Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "900941", "resultSignature": "None", "resultDescription": "Other", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "9fe56529-68f8-4b75-9736-bebccfb9d900", "createdDateTime": "2023-10-27T16:14:15.0050389+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 900941, "failureReason": "Other", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.756160736083984, "longitude": -73.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "9fe56529-68f8-4b75-9736-bebccfb9d900", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 575, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T16:14:15.0050389+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA completed in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "KWXln_hodUuXNr68z7nZAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T16:16:03.3295822Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "900941", "resultSignature": "None", "resultDescription": "Other", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "9fe56529-68f8-4b75-9736-bebccfb9d900", "createdDateTime": "2023-10-27T16:14:15.0050389+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 900941, "failureReason": "Other", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.756160736083984, "longitude": -73.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "9fe56529-68f8-4b75-9736-bebccfb9d900", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 575, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T16:14:15.0050389+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA completed in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "KWXln_hodUuXNr68z7nZAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T16:15:55.2019306Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "900941", "resultSignature": "None", "resultDescription": "Other", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "9fe56529-68f8-4b75-9736-bebccfb9d900", "createdDateTime": "2023-10-27T16:14:15.0050389+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 900941, "failureReason": "Other", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.756160736083984, "longitude": -73.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "985f8d43-4e32-4e66-800d-7214f029ed0e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "9fe56529-68f8-4b75-9736-bebccfb9d900", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 575, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T16:14:15.0050389+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA completed in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "KWXln_hodUuXNr68z7nZAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T16:14:14.9747033Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Consent to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "resultDescription": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "durationMs": 0, "callerIpAddress": "13.85.188.242", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "Level": 4, "properties": {"id": "Directory_864210f1-2950-47cb-9e12-1a71dcbdb1d5_DO21D_338329364", "category": "ApplicationManagement", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "result": "failure", "resultReason": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "activityDisplayName": "Consent to application", "activityDateTime": "2023-10-27T16:14:14.9747033+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "13.85.188.242", "roles": []}}, "targetResources": [{"id": "6228c72e-8895-4681-bbda-238132dc4f3c", "displayName": "Bad App 1", "type": "Application", "modifiedProperties": [{"displayName": "ConsentContext.IsAdminConsent", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.IsAppOnly", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.OnBehalfOfAll", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.Tags", "oldValue": null, "newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\""}, {"displayName": "ConsentAction.Permissions", "oldValue": null, "newValue": "\"[] => [[Id: AAAAAAAAAAAAAAAAAAAAALSZcc5Sj_NGtUtP2B3pYeI2veRXIpdKSpcpcgPY4Aty, ClientId: 00000000-0000-0000-0000-000000000000, PrincipalId: 57e4bd36-9722-4a4a-9729-7203d8e00b72, ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: Principal, Scope: Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadBasic.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared User.Read, CreatedDateTime: , LastModifiedDateTime ]]; \""}, {"displayName": "ConsentAction.Reason", "oldValue": null, "newValue": "\"Risky application detected\""}, {"displayName": "MethodExecutionResult.", "oldValue": null, "newValue": "\"Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}} {"time": "2023-10-27T16:14:14.2881553Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Update user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "13.85.184.247", "correlationId": "26980f9a-be06-41b7-a237-19eb510682cd", "identity": "Azure MFA StrongAuthenticationService", "Level": 4, "properties": {"id": "Directory_26980f9a-be06-41b7-a237-19eb510682cd_QSAV5_197429146", "category": "UserManagement", "correlationId": "26980f9a-be06-41b7-a237-19eb510682cd", "result": "success", "resultReason": "", "activityDisplayName": "Update user", "activityDateTime": "2023-10-27T16:14:14.2881553+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "Azure MFA StrongAuthenticationService", "servicePrincipalId": "e80590c4-87c0-491b-829b-11d2e23ea384", "servicePrincipalName": null}}, "targetResources": [{"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "type": "User", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "modifiedProperties": [{"displayName": "StrongAuthenticationPhoneAppDetail", "oldValue": "[{\"DeviceName\":\"iPhone 14 Pro\",\"DeviceToken\":\"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\"DeviceTag\":\"SoftwareTokenActivated\",\"PhoneAppVersion\":\"6.7.15\",\"OathTokenTimeDrift\":0,\"DeviceId\":\"00000000-0000-0000-0000-000000000000\",\"Id\":\"6a53b3ef-9cdd-432f-b194-6fc3668280b3\",\"TimeInterval\":0,\"AuthenticationType\":3,\"NotificationType\":2,\"LastAuthenticatedTimestamp\":\"2023-10-23T20:43:50.3085908Z\",\"AuthenticatorFlavor\":null,\"HashFunction\":null,\"TenantDeviceId\":null,\"SecuredPartitionId\":0,\"SecuredKeyId\":0}]", "newValue": "[{\"DeviceName\":\"iPhone 14 Pro\",\"DeviceToken\":\"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\"DeviceTag\":\"SoftwareTokenActivated\",\"PhoneAppVersion\":\"6.7.15\",\"OathTokenTimeDrift\":0,\"DeviceId\":\"00000000-0000-0000-0000-000000000000\",\"Id\":\"6a53b3ef-9cdd-432f-b194-6fc3668280b3\",\"TimeInterval\":0,\"AuthenticationType\":3,\"NotificationType\":2,\"LastAuthenticatedTimestamp\":\"2023-10-27T16:14:14.1624453Z\",\"AuthenticatorFlavor\":null,\"HashFunction\":null,\"TenantDeviceId\":null,\"SecuredPartitionId\":0,\"SecuredKeyId\":0}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"StrongAuthenticationPhoneAppDetail\""}, {"displayName": "TargetId.UserType", "oldValue": null, "newValue": "\"Member\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "UserType", "value": "Member"}]}}