Microsoft Entra unexpected user authenticated with Azure CLI
Description
AlphaSOC detected a Microsoft Entra authentication from a user via a command-line interface application (such as Azure CLI or Azure PowerShell) when this user does not typically authenticate through CLI tooling. Threat actors who obtain valid user credentials may authenticate via CLI to access Azure resources or Microsoft 365 services in a way that differs from the user's normal interactive sign-in patterns.
Impact
CLI authentication with valid credentials provides programmatic access to Azure and Microsoft 365 resources that the account is permitted to access. An attacker leveraging CLI tools can automate enumeration and exfiltration, manage Azure resources, or access sensitive APIs more efficiently than through a browser session. Unexpected CLI usage may indicate credential compromise by an attacker.
Severity
| Severity | Condition |
|---|---|
Low | User authenticates via CLI when not previously observed |
Investigation and Remediation
Review the Entra sign-in logs for the user to identify the specific CLI application used, the source IP and ASN, and the time of authentication. Verify with the user whether they initiated the CLI sign-in. If unauthorized, revoke active sessions, reset credentials, and audit Azure and Microsoft 365 activity performed during the CLI session. Consider restricting CLI application access via conditional access policies for users who do not require programmatic Azure access.