What Changed
Added ConditionalAccessBenignStatusCodes watchlist and updated the Conditional Access bypass analytic rule (BypassCondAccessRule) with optional false positive filtering.
Detection Logic
The updated rule queries SigninLogs for ConditionalAccessStatus values indicating bypass attempts (Success=0, Failure=1, Not Applied=2, Unknown=3). Core logic joins authentication events with conditional access policy results, aggregating by user, application, and location. Entity mappings include Account (UserPrincipalName), IP, and URL.
The watchlist-based filtering (commented out by default) uses leftanti join to exclude status codes from the ConditionalAccessBenignStatusCodes watchlist.
Security Impact
This is a data fidelity improvement, not a blind spot closure. The existing detection remains fully functional with enhanced tuning guidance. The watchlist targets 7 specific status codes representing legitimate authentication flows:
- 50074/50076: MFA prompts and policy enforcement
- 50097: Device authentication requirements
- 50125: Password reset interrupts
- 50140: “Keep me signed in” prompts
- 70043/700082: Token expiration due to inactivity/frequency policies
SOC teams can now optionally reduce noise from expected authentication behaviors while maintaining full visibility into actual bypass attempts. Default configuration preserves all alerts for maximum coverage.
Affected Files
Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml
Solutions/Microsoft Entra ID/Package/testParameters.json
Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.csv
Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.json
(packaging artefacts: 3.3.11.zip, ReleaseNotes.md, Solution_AAD.json, createUiDefinition.json, mainTemplate.json)