For nearly a decade the legacy Azure AD Graph API (graph.windows.net) was a defender blind spot: requests to it produced no first-class activity log, so tools like ROADtools (roadrecon) and AADInternals — which lean heavily on AAD Graph — could enumerate an entire tenant with little trace. That changed when Microsoft shipped AADGraphActivityLogs (general availability in 2026), the counterpart to the already-available MicrosoftGraphActivityLogs (graph.microsoft.com). Together these two tables give SOCs request-level visibility into directory API traffic: the caller identity, app, source IP, HTTP method, request URI, and crucially the User-Agent.
This skill is the defensive complement to offensive Entra tooling. It hunts the two Graph activity tables for the behavioral and string fingerprints those tools leave behind. Many operators forget to spoof the User-Agent, so ROADtools (built on Python's aiohttp) emits a User-Agent like Python/3.12 aiohttp/3.10.4, and AADInternals frequently leaves AADInternals or library strings in the agent. Even when the agent is spoofed, the tools betray themselves through a characteristic endpoint-sweep pattern: roadrecon gather pulls users, groups, applications, serviceprincipals, devices, directoryroles, roledefinitions, oauth2permissiongrants, and more within a tight time window — a signature that survives header spoofing.
The activity being detected maps to MITRE ATT&CK T1078.004 – Valid Accounts: Cloud Accounts: an adversary using legitimate (often phished or token-stolen) cloud credentials to enumerate and operate against the tenant via the Graph APIs. These detections both surface live intrusions and validate that the offensive techniques in the companion red-team skills are observable.
SigninLogs and AADNonInteractiveUserSignInLogs for correlationMicrosoftGraphActivityLogs and AADGraphActivityLogs to your workspace), or via CLI:
az monitor diagnostic-settings create \
--name "entra-graph-logs" \
--resource "/providers/microsoft.aadiam/diagnosticSettings" \
--logs '[{"category":"MicrosoftGraphActivityLogs","enabled":true},{"category":"AADGraphActivityLogs","enabled":true}]' \
--workspace "<log-analytics-workspace-id>"
| ID | Technique | Application in this skill |
|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts | Detecting adversaries using valid cloud credentials/tokens to enumerate the tenant via the Microsoft Graph and legacy Azure AD Graph APIs |
Related techniques surfaced by these hunts: T1087.004 Account Discovery: Cloud Account, T1069.003 Permission Groups Discovery: Cloud Groups, T1526 Cloud Service Discovery.
Before hunting, verify the data exists and inspect the schema fields you will pivot on.
union withsource=Tbl MicrosoftGraphActivityLogs, AADGraphActivityLogs
| where TimeGenerated > ago(1d)
| summarize Records=count(), LastSeen=max(TimeGenerated) by Tbl
ROADtools uses aiohttp; an un-spoofed run shows python + aiohttp in the User-Agent.
AADGraphActivityLogs
| where TimeGenerated > ago(7d)
| where RequestMethod == "GET"
| where UserAgent contains "python" and UserAgent contains "aiohttp"
| summarize RequestCount = count() by CallerIpAddress, AppId, UserAgent, UserId
| sort by RequestCount desc
AADInternals leaves toolkit/library strings; AzureHound's Go HTTP client and BloodHound tooling have distinctive agents.
union MicrosoftGraphActivityLogs, AADGraphActivityLogs
| where TimeGenerated > ago(7d)
| where UserAgent has_any ("AADInternals", "aad-internals", "azurehound",
"BloodHound", "python-requests", "Go-http-client")
| project TimeGenerated, UserAgent, CallerIpAddress, AppId, UserId, RequestUri
| sort by TimeGenerated desc
Even with a spoofed agent, roadrecon gather touches a recognizable set of directory resources in a short window. Bucket by user and 5 minutes; alert when one identity hits the full sweep.
AADGraphActivityLogs
| where TimeGenerated > ago(1d)
| where RequestMethod == "GET"
| extend TopLevelResource = tolower(tostring(split(split(RequestUri, "?")[0], "/")[3]))
| summarize
TopLevelResources = make_set(TopLevelResource),
AppIds = make_set(AppId),
CallerIPs = make_set(CallerIpAddress),
UserAgents = make_set(UserAgent),
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated)
by UserId, bin(TimeGenerated, 5m)
| where TopLevelResources has_all ("users", "tenantdetails", "groups", "applications",
"serviceprincipals", "devices", "directoryroles", "roledefinitions", "contacts",
"oauth2permissiongrants", "authorizationpolicy")
| project StartTime, EndTime, UserId, AppIds, CallerIPs, UserAgents
Catch tooling that simply makes far more directory reads than a human in a short window.
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(1d)
| where RequestMethod == "GET"
| where RequestUri has_any ("/users", "/groups", "/servicePrincipals", "/applications",
"/directoryRoles", "/roleManagement")
| summarize Reads=count(), Resources=dcount(RequestUri) by UserId, AppId, CallerIpAddress, bin(TimeGenerated, 10m)
| where Reads > 200
| sort by Reads desc
Pivot a suspicious Graph caller back to the sign-in to recover device, location, MFA, and conditional-access result. Note the SignInActivityId in AADGraphActivityLogs may carry == padding versus SigninLogs.UniqueTokenIdentifier.
AADGraphActivityLogs
| where TimeGenerated > ago(1d)
| where UserAgent contains "aiohttp"
| extend TokenId = trim_end("=", tostring(SignInActivityId))
| join kind=leftouter (
SigninLogs
| extend TokenId = tostring(UniqueTokenIdentifier)
| project TokenId, UserPrincipalName, IPAddress, AppDisplayName, ConditionalAccessStatus, DeviceDetail
) on TokenId
| project TimeGenerated, UserId, UserPrincipalName, CallerIpAddress, IPAddress,
AppDisplayName, ConditionalAccessStatus, UserAgent
Promote the highest-fidelity queries (Steps 2-4) to scheduled analytics rules. Set a query period/frequency (e.g., run every 1h over 1d), map the rule to T1078.004, and configure entity mappings (Account = UserId, IP = CallerIpAddress, Host/App = AppId) so incidents enrich automatically. Tune out known automation/service-principal App IDs and approved scanner IPs via a watchlist before enabling.
| Resource | Purpose | Source |
|---|---|---|
| AADGraphActivityLogs reference | Schema and field meaning | https://learn.microsoft.com/entra/identity/monitoring-health/concept-aad-graph-activity-logs |
| MicrosoftGraphActivityLogs | Graph API activity schema | https://learn.microsoft.com/graph/microsoft-graph-activity-logs-overview |
| Invictus-IR writeup | AADGraphActivityLogs hunting queries | https://www.invictus-ir.com/news/the-missing-link-aadgraphactivitylogs-finally-arrives |
| Cloudbrothers analysis | Behavioral fingerprinting of ROADtools | https://cloudbrothers.info/en/aadgraphactivitylogs/ |
| ROADtools | The offensive tool being detected | https://github.com/dirkjanm/ROADtools |
| MITRE T1078.004 | Valid Accounts: Cloud Accounts | https://attack.mitre.org/techniques/T1078/004/ |
| Tool | Primary fingerprint | Table |
|---|---|---|
| ROADtools (roadrecon) | python + aiohttp UA; full directory endpoint sweep in 5 min |
AADGraphActivityLogs |
| AADInternals | AADInternals / toolkit strings in UA; AAD Graph reads |
AADGraphActivityLogs |
| AzureHound | Go HTTP client UA; broad MS Graph enumeration | MicrosoftGraphActivityLogs |
| Generic recon | High GET volume across users/groups/apps/SPs in short window | both |