Decoding Microsoft 365 Audit Log Events Using Bitfield Mapping Technique – Investigation Report

When users authenticate to Microsoft cloud services, their activities generate authentication events recorded across multiple logging systems.

Microsoft Entra sign-in logs and Microsoft 365 audit logs capture identical authentication events but represent this critical security data using different formats.

Security analysts investigating incidents frequently encounter the UserAuthenticationMethod field in Microsoft 365 sign-in events, which displays cryptic numeric values such as 16, 272, or 33554432 without official documentation from Microsoft explaining their meaning.

This undocumented field has posed challenges for security teams attempting to analyze authentication patterns, identify suspicious login activities, or assess phishing-resistant authentication adoption.

The lack of documentation meant incident responders working in environments where only Microsoft 365 audit logs were available struggled to understand what authentication methods users employed during sign-in events.

Through systematic correlation analysis between Microsoft Entra sign-in logs and Microsoft 365 audit logs, Sekoia analysts discovered that the UserAuthenticationMethod field operates as a bitfield where each bit position represents a distinct authentication method.

This breakthrough enables security professionals to decode these numeric values into human-readable authentication method descriptions.

The research team mapped each bit position to specific authentication methods by leveraging shared correlation identifiers between the logging systems.

Microsoft 365 audit logs contain an InterSystemsId field while Entra ID logs include a correlationId field, both referencing identical authentication events.

By matching events across sources, researchers correlated numeric UserAuthenticationMethod values with detailed authentication method descriptions found in Entra ID’s authenticationMethodDetail fields.

Decoding the Bitfield Mapping Technique

The bitfield structure allows multiple authentication methods to appear simultaneously in one numeric value.

For instance, value 272 converts to binary as 100010000, activating bit 4 representing Password Hash Sync (decimal value 16) and bit 8 representing via Staged Rollout (decimal value 256), indicating “Password Hash Sync via Staged Rollout” as the authentication mechanism.

The mapping encompasses 28 documented bit positions, including Password in the cloud at bit 0 (decimal 1), Temporary Access Pass at bit 1, Seamless SSO at bit 2, Windows Hello for Business at bit 18 (decimal 262144), and Passkey at bit 25 (decimal 33554432).

However, several bits remain unmapped including positions 5, 7, 9-17, 22, and 26.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.