Signins error codes

deepseek.md

DeepSearch Critical Error Codes to Monitor:

AADSTS50000 - TokenIssuanceError (Sign-in service issue)

AADSTS50001 - InvalidResource (Resource disabled or doesn't exist)

AADSTS50053 - IdsLocked (Account locked due to suspicious activity)

AADSTS50055 - InvalidPasswordExpiredPassword (Password expired)

AADSTS50057 - UserDisabled (User account disabled)

AADSTS50058 - UserInformationNotProvided (SSO session issue)

AADSTS50059 - MissingTenantRealm (Tenant not found)

AADSTS50076 - UserStrongAuthClientAuthNRequired (MFA required)

AADSTS50079 - UserStrongAuthEnrollmentRequired (MFA setup required)

AADSTS50105 - EntitlementGrantsNotFound (User not assigned to app role)

AADSTS53000 - DeviceNotCompliant (Conditional Access: Device not compliant)

AADSTS53001 - DeviceNotDomainJoined (Conditional Access: Device not domain-joined)

AADSTS53003 - BlockedByConditionalAccess (Access blocked by policy)

AADSTS530032 - BlockedByConditionalAccessOnSecurityPolicy (Tenant security policy block)

AADSTS65001 - DelegationDoesNotExist (User/admin hasn’t consented to app)

AADSTS700016 - UnauthorizedClient_DoesNotMatchRequest (App not found in tenant)

AADSTS7000215 - InvalidClientSecret (Invalid client secret)

AADSTS7000222 - InvalidClientSecretExpiredKeys (Expired client secret keys)

AADSTS90094 - AdminConsentRequired (Admin consent needed)

AADSTS120000-120021 (Password change failures, account lockouts, SSPR issues)

ms copilot.md

🔔 Critical Microsoft Entra Error Codes to Monitor

This document outlines the most important Microsoft Entra (formerly Azure AD) authentication and authorization error codes that should be monitored and trigger alerts. These errors typically indicate authentication failures, policy violations, or service issues that may impact user access or security posture.

🚨 High-Priority Error Codes

🔐 Authentication Failures

Error Code	Description
AADSTS50053	Account locked due to repeated sign-in attempts or malicious IP.
AADSTS50055	Password expired.
AADSTS50057	User account disabled.
AADSTS50126	Invalid username or password.
AADSTS50076	MFA required but not completed.
AADSTS50078	MFA expired.
AADSTS50079	MFA enrollment required.
AADSTS50072	MFA enrollment required (interactive).

🚫 Access Denied / Policy Enforcement

Error Code	Description
AADSTS53003	Blocked by Conditional Access.
AADSTS53000	Device not compliant.
AADSTS53001	Device not domain joined.
AADSTS50020	User unauthorized (external user not added).
AADSTS50105	User not assigned to the app.

⚠️ Configuration or Token Issues

Error Code	Description
AADSTS7000215	Invalid client secret.
AADSTS7000222	Expired client secret.
AADSTS700011	Invalid scope.
AADSTS50058	User not signed in (SSO failure).
AADSTS50008	Invalid SAML token.
AADSTS50003	Missing signing key.

🛑 Service or System Errors

Error Code	Description
AADSTS50000	Token issuance error (sign-in service issue).
AADSTS90055	Tenant throttling error (too many requests).
AADSTS90033	MSODS service unavailable.

📘 Notes

• These codes should be integrated into your SIEM, Azure Monitor, or Sentinel alerting rules.
• Consider correlating with user activity logs and Conditional Access policies for deeper insights.

openai.md

High-Priority Authentication/Authorization Error Codes to Monitor & Alert On

Authentication Failures & Account Security

• AADSTS50053: Account locked due to too many failed sign-in attempts or blocked due to risky sign-in.
  Security implication: brute force, account lockouts, sign-in risk, possible attack.
• AADSTS50055 / AADSTS50144: Password expired / User's AD password expired.
  Security & operational impact: degraded user access, possible sign of aged/neglected accounts.
• AADSTS50057: User account is disabled.
  Indicator of HR/process events, terminations, or suspicious admin activity.
• AADSTS50034 / AADSTS51004: User account does not exist in tenant.
  Suspicion of leakage of credentials, misrouted auth attempts; possible attack sign.
• AADSTS50064 / AADSTS50126: Credential validation failed / Invalid username or password.
  Attack/fraud indicator: monitor for volume spikes.
• AADSTS70000: InvalidGrant – refresh token isn't valid (could be stolen or revoked).
• AADSTS50076 / AADSTS50074 / AADSTS50079 / AADSTS50078: User required/enrolled/expired MFA, but did not complete it or was blocked.
  Critical for organizations enforcing strong authentication.

Conditional Access, Device & Compliance

• AADSTS53000: Device not compliant.
  Indicates users are trying to bypass security controls.
• AADSTS53001: Device not domain joined.
  Indicator of rogue/unmanaged devices.
• AADSTS53003 / AADSTS530035 / AADSTS530032: Access blocked by Conditional Access/Security Defaults/Security Policy.
  Critical for understanding policy enforcement and attempted bypass/misuse.

App, Resource & Tenant Misconfigurations (Possible Attacks or Broken Integrations)

• AADSTS50001 / AADSTS500011 / AADSTS500014: InvalidResource, InvalidResourceServicePrincipalNotFound, Service Principal Disabled.
• AADSTS50105: User not assigned to app role.
• AADSTS65001 / AADSTS90094 / AADSTS90095: Delegation/Admin Consent Required.
• AADSTS70001 / AADSTS700016 / AADSTS7000112 / AADSTS70002: UnauthorizedClient, App not found/disabled, Invalid client credentials.
• AADSTS75005 / AADSTS50008: SAML assertion invalid or missing.

Certificates, Keys & Signing Issues

• AADSTS50003: Missing signing key/certificate.
• AADSTS50006 / AADSTS50017 / AADSTS50146: Signature, Certificate or signing key issues.
• AADSTS7000222: Client secret keys are expired.

External/Federated IDP Issues

• AADSTS40008 / AADSTS40009 / AADSTS40015: Federation/IDP errors; if you use external IdPs or B2B.
• AADSTS20001 / AADSTS20012 / AADSTS20033: WS-Fed errors; federated sign-in used.

Infrastructure/Availability/Abuse

• AADSTS90012 / AADSTS90033 / AADSTS90036: Request timeout/service unavailable.
• AADSTS90055: Tenant throttling (potential DoS or overuse).
• AADSTS50196: Client loop detected (potential app misconfig/abuse/dos).
• AADSTS70008 / AADSTS700082 / AADSTS700084: Token expired due to inactivity.

---

[Summary Table: Top Codes to Monitor and Alert]

Error Code(s)	Reason to Monitor & Alert
AADSTS50053	Account locked due to sign-in failures / risky sign-in
AADSTS50034	Account not found in tenant (possible leak/attack)
AADSTS50055	Password expired (user lockout, process issue)
AADSTS50057	User account disabled (admin/HR/suspicious disablement)
AADSTS50064	Invalid credentials (spikes indicate brute force attempt)
AADSTS50076	MFA required (failure/interrupt, security enforcement)
AADSTS53000/1/3	Conditional Access policy/device compliance blocks
AADSTS50001	Invalid resource, missing/wrong app registration
AADSTS50003/6/17/222	Signing/certificate/key errors or expired client secret
AADSTS90055	Tenant throttling (possible DoS or app abuse)
AADSTS50105	User not assigned to app/role
AADSTS65001/90094	Consent required (users unable to proceed, possible missing admin action)
AADSTS70001/16/112	Unauthorized client/app missing or disabled
AADSTS90012/33/36	Service/unavailability errors (may impact user/app access)
AADSTS40008/9/15	Federation/IDP issues

---

Additional Security/Operational Notes

• Monitor for spikes or trends in these error codes, not just single events.
• Correlate with location, IP, user, and device for possible attack indicators.
• Monitor for MFA/Strong Auth codes if you enforce these by policy.
• For most of these, especially account- and app-related blocks, real-time SIEM alerts are recommended.

---

[For a smaller, strict minimum set (if you need only 5–10):**

• AADSTS50053 (account locked/risky sign-in)
• AADSTS50034/51004 (user account not found)
• AADSTS50076/50074/50079/50078 (MFA interruptions/failures)
• AADSTS53000/53001/53003/530035/530032 (Conditional Access blocks)
• AADSTS90055 (tenant throttling)
• AADSTS50001/50003 (invalid resource / key/cert missing)
• AADSTS70001 (unauthorized client)
• AADSTS90012 (timeout/service unavailable)

---

Let me know if your environment has SAML/federation, B2B/external IDP, or a high volume of service principal automation—monitoring should then include more federation- and certificate-related (AADSTS50008, etc.) error codes.

For a SIEM/baselining perspective: raise high/critical alarms for spikes or trends in the above codes, few to moderate alerts for isolated instances (except for tenant-level events).

splunk-queries.md

// Part 1: Historical timechart (last 30-60 days)
| tstats count where index=entra_logs sourcetype="azure:aad:signin" earliest=-60d@d latest=-30d@d by _time, error_code
| eval category=case(
    match(error_code, "AADSTS50076|AADSTS50079|AADSTS50078"), "MFA Issues",
    match(error_code, "AADSTS50053"), "Account Lockouts",
    match(error_code, "AADSTS50055|AADSTS50126"), "Password Issues",
    match(error_code, "AADSTS53003|AADSTS53000"), "Policy Blocks",
    true(), "Other"
)
| timechart span=1d count by category

// Part 2: Today's data comparison with dynamic alerts
| append [
    | tstats count where index=entra_logs sourcetype="azure:aad:signin" earliest=@d latest=now by error_code
    | eval category=case(
        match(error_code, "AADSTS50076|AADSTS50079|AADSTS50078"), "MFA Issues",
        match(error_code, "AADSTS50053"), "Account Lockouts",
        match(error_code, "AADSTS50055|AADSTS50126"), "Password Issues",
        match(error_code, "AADSTS53003|AADSTS53000"), "Policy Blocks",
        true(), "Other"
    )
    | stats sum(count) as today_count by category
    | join type=inner category [
        | tstats count where index=entra_logs sourcetype="azure:aad:signin" earliest=-60d@d latest=-30d@d by error_code
        | eval category=case(
            match(error_code, "AADSTS50076|AADSTS50079|AADSTS50078"), "MFA Issues",
            match(error_code, "AADSTS50053"), "Account Lockouts",
            match(error_code, "AADSTS50055|AADSTS50126"), "Password Issues",
            match(error_code, "AADSTS53003|AADSTS53000"), "Policy Blocks",
            true(), "Other"
        )
        | stats avg(count) as avg_count by category
    ]
    | eval percent_increase=round(((today_count-avg_count)/avg_count)*100, 2)
    | eval alert_severity = case(
        percent_increase > 200, "Critical",
        percent_increase > 100, "High",
        percent_increase > 50, "Moderate",
        percent_increase > 0, "Low",
        true(), "Normal"
    )
    | where percent_increase > 50  // Optional: Filter only significant increases
    | table category today_count avg_count percent_increase alert_severity
    | rename 
        category as "Alert Category", 
        today_count as "Today's Count", 
        avg_count as "Historical Avg", 
        percent_increase as "% Increase",
        alert_severity as "Severity"
]

| eval category=case(
resultType==0, "Success",
resultType==35000, "CA",
true(), "Others"
)
| stats count by category
| join type=outer category [
search index="azure" category="SignInLogs" earliest=-30d@d latest=-1d@d
| eval category=case(
resultType==0, "Success",
resultType==35000, "CA",
true(), "Others"
)
| bin _time span=1d
| stats count by category, _time
| stats avg(count) as avg_30d by category
]
| eval diff_today_vs_30d_avg = count - avg_30d
| table category count avg_30d diff_today_vs_30d_avg

| eval first_day_of_month=strftime(relative_time(now(), "@mon"), "%Y-%m-%d")
| eval today=strftime(now(), "%Y-%m-%d")
| where _time>=first_day_of_month AND _time<=today

| timechart span=1d count by category
| untable _time category count
| stats avg(count) as average by category