Today I Learned (TIL) on Nicola Suterhttps://tech.nicolonsky.ch/categories/today-i-learned-til/Recent content in Today I Learned (TIL) on Nicola SuterHugo -- gohugo.ioen-US© 2026 Nicola SuterWed, 20 May 2026 12:00:01 +0000Microsoft Authenticator App Details now exposed in Entra SignInLogshttps://tech.nicolonsky.ch/til/authenticationappdevicedetails/Wed, 20 May 2026 12:00:01 +0000https://tech.nicolonsky.ch/til/authenticationappdevicedetails/<p>In response to CVE-2026-41615<cite><sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup></cite> (Microsoft Authenticator Information Disclosure Vulnerability), Microsoft started exposing the used Microsoft Authenticator app details as part of the Entra ID Sign-In Logs in the <code>AuthenticationAppDeviceDetails</code> column. The information can be queried via KQL.</p> <p>You can use the below KQL query to find users with outdated Microsoft Authenticator app versions, which are vulnerable:</p> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="AuthenticationAppDeviceDetails" src="https://tech.nicolonsky.ch/content/images/2026/til/AuthenticationAppDeviceDetails.png" ></figure> <div class="highlight-wrapper"><pre tabindex="0"><code class="language-kusto" data-lang="kusto">// https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41615 let MinimumVersions = datatable( AuthenticatorOperatingSystem: string, PatchedAuthenticatorVersion: string )[ &#34;Android&#34;, &#34;6.2605.2973&#34;, &#34;Ios&#34;, &#34;6.8.47&#34; ]; SigninLogs | where isnotempty(AuthenticationAppDeviceDetails) | extend AuthenticationAppDetails = parse_json(AuthenticationAppDeviceDetails) | extend AuthenticatorOperatingSystem = tostring(AuthenticationAppDetails.operatingSystem) | extend UsedAuthenticatorVersion = tostring(AuthenticationAppDetails.appVersion) // b2b and guest accounts include: {&#34;deviceId&#34;:&#34;{PII Removed}&#34;} and no authenticator details | where isnotempty(UsedAuthenticatorVersion) | join kind=leftouter MinimumVersions on AuthenticatorOperatingSystem | extend isVulnerable = parse_version(UsedAuthenticatorVersion) &lt; parse_version(PatchedAuthenticatorVersion) | where isVulnerable | distinct UserPrincipalName, AuthenticatorOperatingSystem, UsedAuthenticatorVersion, isVulnerable</code></pre></div> <p>The <code>AuthenticationAppDeviceDetails</code> (JSON) column itself consists of the following properties:</p> <ul> <li>appVersion</li> <li>clientApp</li> <li>deviceId</li> <li>operatingSystem</li> </ul> <p>The <code>clientApp</code> property is really helpful, as we now also have another option to identify users who use the Authenticator light capabilities, available as part of the Outlook app:</p> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="AuthenticationAppDetailsClientApp" src="https://tech.nicolonsky.ch/content/images/2026/til/AuthenticationAppDetailsClientApp.png" ></figure> <div class="highlight-wrapper"><pre tabindex="0"><code class="language-kusto" data-lang="kusto">SigninLogs | where isnotempty(AuthenticationAppDeviceDetails) | extend AuthenticationAppDetails = parse_json(AuthenticationAppDeviceDetails) | extend AuthenticationAppDetailsClientApp = tostring(AuthenticationAppDetails.clientApp) | where AuthenticationAppDetailsClientApp == &#34;Outlook&#34; | distinct UserPrincipalName, AuthenticationAppDetailsClientApp</code></pre></div> <p>This might be relevant in your environment if you did not disable the Microsoft-managed setting for using the Authenticator light option, which, for example, does not support Conditional Access authentication strengths, passkeys, and app protection policies:</p>