Sekoia.io’s threat research team has published a breakthrough investigation shedding light on the long-unexplained UserAuthenticationMethod field found in Microsoft 365 audit logs.
Their analysis reveals that this numeric value, often observed as integers like 16, 272, or 33554432, represents a bitfield, a binary-encoded mapping where each bit corresponds to a specific authentication method.
This discovery provides much-needed transparency for defenders investigating sign-in events across Microsoft’s cloud ecosystem.
For years, analysts reviewing Microsoft 365 sign-in events faced a central blind spot: audit entries logged an undocumented integer under UserAuthenticationMethod, leaving its meaning unclear.
Through careful correlation between Microsoft 365 audit logs and Microsoft Entra ID sign-in logs, the Sekoia team successfully reverse-engineered the bitwise logic hidden within the field.
They demonstrated that by converting the numeric value to binary, analysts can identify which authentication methods were used during login, including primary and multi-factor authentication steps.
Mapping Authentication Methods
Each bit within the field signifies a different sign-in mechanism. For example, bit 0 (decimal 1) marks “Password in the Cloud,” bit 4 (16) represents “Password Hash Sync,” and bit 6 (64) corresponds to “Passwordless Phone Sign-in.”
Other bits denote advanced methods like “Windows Hello for Business” (bit 18 – 262144), “Passkey (device-bound)” (bit 25 – 33554432), and “QR code authentication transfer” (bit 19 – 524288).
The bitfield even tracks staged rollout conditions, using bit 8 (256) to indicate methods active through hybrid deployments.
When multiple authentication types are used in sequence, their bit values combine. For example, a value such as 272 (binary 100010000) contains bits 4 and 8, decoding to “Password Hash Sync via Staged Rollout.”
A more complex case, 33554704, represents a password-based login enhanced by a passkey, showing simultaneous use of bits 4, 8, and 25.
To build this mapping, Sekoia analysts matched log entries sharing the same correlation identifiers—InterSystemsId in Microsoft 365 and correlationId in Entra ID.
By analyzing fields like authenticationMethodDetailThey confirmed which authentication approaches corresponded to observed bit positions. Controlled tests further validated their hypotheses, differentiating closely related modes such as “QR code” versus “QR code pin.”
Security and Detection Impact
This knowledge closes a significant visibility gap for incident responders. By decoding the bitfield, analysts can monitor adoption of phishing-resistant authentication like Passkeys or Windows Hello, trace hybrid staged rollouts, and recognize weak sign-in methods directly from audit data.
Some bits remain unmapped, signaling Microsoft’s ongoing evolution of sign-in technology. Sekoia.io urges defenders to contribute new findings, helping strengthen the collective understanding of Microsoft 365’s authentication telemetry.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
