Your Azure Admins Cannot See Four Different Ways Attackers Have Been Logging Into Your Tenant Invisibly for Three Years

I want to tell you about something that kept me up until about 3:40 AM last Tuesday, refreshing the TrustedSec blog page like a maniac because I could not believe what I was reading.

A security researcher named Nyxgeek just published full disclosure on not one, not two, but four separate ways to authenticate to Azure Entra ID — get valid tokens, the whole deal — without a single entry appearing in the sign-in logs that every security team on the planet relies on to detect intrusions.

Let me say that again: invisible logins. Four of them. Over three years.

What Happened: The Four Azure Sign-In Log Bypasses

Nyxgeek has been finding these bypasses since 2023. Each one is completely different, and each one exploited a different crack in how Microsoft processes authentication requests versus how it records them in logs.

GraphNinja — The Foreign Tenant Trick (2023)

The first bypass was almost embarrassingly simple. By sending your login attempt to a different Azure tenant endpoint, Microsoft would still validate your password — tell you if it was correct — but because the tenant was foreign, no log was generated in either tenant. No successful login. No failed login. Nothing.

My colleague Jake — who manages a 200-seat manufacturing company Microsoft 365 environment — heard me explain this over lunch and nearly choked on his sandwich. "Wait, so for over a year, someone could have been password spraying our entire directory and I would have seen absolutely zero alerts?"

Yes, Jake. Exactly that.

GraphGhost — The Invalid Parameter Gambit (2024)

The second bypass was cleverer. By supplying an invalid value for specific logon parameters, the authentication flow would validate the credentials (confirming the password was correct) and then fail the overall request. Microsoft treated it as a failed auth flow, not a successful credential validation, so no "successful login" event was logged. The password check still happened, though. Silently.

Bypasses Three and Four — Full Token Retrieval (2025-2026)

Here is where it gets genuinely terrifying. The first two bypasses only confirmed whether a password was valid. The latest two? They returned fully functioning access tokens. Not just password validation — actual bearer tokens and refresh tokens that could access the Microsoft Graph API.

Invisible. Functional. Tokens.

I asked my friend Dana, who runs incident response for a mid-size financial services firm, what she thought. Her exact words: "This is the kind of thing that makes me want to burn my SIEM to the ground and start over."

Why This Matters More Than You Think

Every single Azure security playbook — from Microsoft own documentation to CrowdStrike best practices — tells you to monitor sign-in logs for suspicious activity. Impossible travel alerts? Based on sign-in logs. Password spray detection? Sign-in logs. Conditional access policy enforcement logging? You guessed it.

If the log entry never gets created, none of your detection rules fire. Your SIEM is a very expensive nightlight.

"See that nice dashboard with the green checkmarks in your SOC?" Yeah, that is exactly where your false sense of security lives.

The Scale of Potential Exposure

According to Microsoft own 2025 annual report, over 720,000 organizations use Azure Active Directory (now Entra ID). Each one relies on sign-in logs as a primary detection mechanism. The bypasses were eventually patched, but for the window they were active:

• GraphNinja: approximately 9 months unpatched (August 2023 to May 2024)
• GraphGhost: approximately 4 months unpatched (December 2024 to April 2025)
• Bypasses 3 and 4: patched recently, exact timeline not fully disclosed

That is potentially years of invisible access across hundreds of thousands of tenants.

How to Detect What the Logs Missed

Look, I am not going to sugarcoat this: if someone used these bypasses against your organization during the vulnerability windows, your standard detection would have caught precisely nothing. But there are secondary indicators you can hunt for.

1. Hunt for Token Usage Without Corresponding Sign-In Events

Even if the authentication bypassed logging, using the token still generates activity. In the Azure AD audit logs and Microsoft Graph activity logs, look for API calls that do not have a matching sign-in event within a reasonable time window.

Here is a KQL query to get you started:

let signins = SigninLogs
| where TimeGenerated > ago(90d)
| summarize SignInTimes=make_set(TimeGenerated) by UserPrincipalName;
let activity = AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName has_any ("Update user", "Add member", "Reset password")
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(Actor);
activity
| join kind=leftanti signins on $left.Actor == $right.UserPrincipalName
| project TimeGenerated, Actor, OperationName, TargetResources

This query finds audit log entries from users who have no corresponding sign-in event. Not perfect, but it is a starting point.

2. Monitor the OAuth2 Token Endpoint Directly

If you have network monitoring that captures requests to login.microsoftonline.com/*/oauth2/v2.0/token, look for ROPC (Resource Owner Password Credential) flow usage. ROPC is the authentication method all four bypasses used. In 2026, legitimate ROPC usage should be rare.

3. Enable Azure AD Workload Identity Logs

Microsoft introduced enhanced logging for service principal and workload identity sign-ins in late 2025. These logs capture authentication events through a different pipeline than the standard sign-in logs. Cross-reference them.

4. Review Conditional Access Policy Gaps

Conditional Access policies that require MFA or compliant devices would have partially mitigated these attacks — the bypass gets a token, but that token might still be blocked by policy enforcement at the resource level. Check that your policies apply to all authentication flows, not just interactive sign-ins.

5. Check for Unusual Graph API Patterns

If an attacker got tokens through these bypasses, they likely used them to query the Graph API for reconnaissance — pulling user lists, group memberships, mail. Look for Graph API calls from unusual IP ranges or at unusual times.

The Bigger Problem: Logging as a Single Point of Failure

I spent 47 minutes on a call with my old boss — a CISO at a healthcare org — arguing about this. His position: "Microsoft patched it, move on." My position: this is a systemic design issue, not a series of bugs.

Here is what I mean. In all four cases, the vulnerability existed because authentication and logging are separate systems that can get out of sync. Authentication succeeds (or validates credentials), but the logging pipeline does not get the memo. This is not a bug class that gets fixed with one patch. It is an architectural weakness.

(Spoiler: six months from now, someone will find bypass number five. I would bet my annual coffee budget on it.)

Defense in Depth Is Not Optional

If the TrustedSec disclosure teaches us anything, it is this: no single log source should be your only detection mechanism. You need overlapping coverage:

• Network logs capturing authentication endpoint traffic
• Azure AD audit logs (different pipeline from sign-in logs)
• Cloud app session logs from your CASB
• Endpoint detection correlating user activity with sign-in events
• Email gateway logs for OAuth consent phishing attempts

And honestly? Run the KQL queries above quarterly. Set a calendar reminder. I literally have a recurring 2 PM Friday slot called "Ghost Hunt" where I run detection queries for anomalous token usage. My team thinks I am paranoid. After this week, they have stopped saying that.

What Microsoft Needs to Do

I am going to say something that might get me uninvited from the next MVP Summit: Microsoft needs to treat sign-in logging as a security-critical system, not an observability feature.

Specifically:

1. Immutable authentication receipts — every successful credential validation generates a tamper-proof log entry at the authentication layer, before any downstream processing
2. Log completeness monitoring — an internal system that detects when tokens are issued without corresponding log entries
3. Third-party log verification — let customers independently verify that their sign-in logs are complete, not just trust that Microsoft got it right

Until then, we are all building our detection on someone else homework, hoping they did not make mistakes. Four times in three years suggests they are making mistakes.

The Bottom Line

Look, I know this article is long and technical and probably made your eyes glaze over at the KQL section. But here is what I need you to take away:

If your organization uses Azure Entra ID (and statistically, there is a 60% chance it does), your sign-in logs were not complete for significant periods between 2023 and 2026. The bypasses are now patched, but the tokens that were silently issued during those windows could still be in use if they were converted to long-lived refresh tokens.

Run the detection queries. Check for ghost tokens. And for the love of everything, stop treating sign-in logs as your single source of truth.

I am going to go make my fourth coffee of the morning and stare at KQL queries until my eyes hurt. You should probably do the same.

Sources: TrustedSec Full Disclosure, Microsoft Entra Sign-In Logs Documentation, Microsoft Azure Customer Data. This article is for educational and informational purposes only. Consult your security team before making changes to your Azure environment.

Need help auditing your Azure environment for sign-in log gaps and invisible access? Wardigi provides cybersecurity consulting and cloud security assessments for businesses of all sizes.

Related: Invisible access is just one type of blind spot — see how $30 KVM devices give hackers physical access to your network. For supply chain trust exploitation, read about North Korea weaponizing KakaoTalk contacts, and learn how GlassWorm hijacked GitHub tokens to poison Python repos.