Understanding exactly how users authenticate to cloud services is crucial for effective security monitoring.
A recently refined bitfield mapping technique decodes the opaque UserAuthenticationMethod values in Microsoft 365 audit logs, transforming numeric codes into actionable, human-readable descriptions.
This breakthrough empowers incident responders to identify primary authentication methods even when only Microsoft 365 audit logs are available.
When a user signs in to Microsoft’s cloud services, authentication events appear in both Microsoft Entra sign-in logs and Microsoft 365 audit logs.
Although these logs capture identical events, they store authentication details in disparate formats: Entra logs describe methods in plain text, whereas Microsoft 365 audit logs report only a numeric UserAuthenticationMethod value such as 16, 272, or 33554432, without official documentation explaining their meaning.
Analysts at Sekoia.io discovered that these integers actually represent a bitfield, where each set bit corresponds to a specific primary authentication method.
By converting the numeric value to binary and identifying active bits, security teams can discern which factors were used during sign-in—including complex combined methods like “Password Hash Sync via Staged Rollout.”
Microsoft 365 and Entra ID Logs
To reverse-engineer the mapping, researchers correlated Microsoft 365 audit log entries with Entra ID sign-in logs sharing the same correlation identifiers (InterSystemsId in audit logs and correlationId in Entra logs).
Entra logs provide clear authenticationMethod and authenticationMethodDetail fields, allowing the team to match each bit’s decimal value to its corresponding method.
For example, bit 4 (decimal 16) indicates Password Hash Sync, while bit 8 (decimal 256) signifies a method deployed via Staged Rollout.
A value of 272 (binary 100010000) thus unambiguously represents “Password Hash Sync via Staged Rollout,” revealing the exact combination of primary credentials used.
This methodology is implemented through a two-step Sekoia Operating Language (SOL) query: first, retrieve Microsoft 365 records with the target UserAuthenticationMethod value; second, fetch correlated Entra ID events to aggregate and rank authentication methods by occurrence.
The top result typically reveals the primary authentication factor mapped to the numeric code. SOL’s expressive filtering and aggregation capabilities make it an ideal tool for large-scale log analysis and validation.
Real-World Application and Limitations
In practice, this mapping allows security analysts to identify phishing-resistant methods—such as Passkeys (decimal 33554432) and Windows Hello for Business (decimal 262144)—directly from Microsoft 365 logs.
It also facilitates monitoring of staged rollout progress for hybrid authentication deployments. Importantly, the bitfield captures only primary-capable methods; common secondary-only factors like Microsoft Authenticator push notifications or software OATH tokens are excluded. When a primary-capable method serves as a second factor, however, it still appears alongside the first factor in the bitfield.
Despite these advances, several bit positions (e.g., bits 5, 7, 9–17, 22, 26) remain unmapped due to their absence in observed logs.
As Microsoft continues to introduce new authentication options, additional analysis will be required to keep the mapping current.
The investigation team invites the community to validate these findings in diverse environments, report mappings for unmapped bits, and petition Microsoft for official documentation clarifying the bitfield’s structure.
By revealing the structure of the UserAuthenticationMethod bitfield, this technique closes a critical visibility gap for environments limited to Microsoft 365 audit logs.
Security teams can now decode numeric values into precise authentication events, enhancing incident response, compliance auditing, and risk assessment activities across Microsoft 365 and hybrid identity infrastructures.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
