[Azure] signinlogs fix conditional_access_audience.application_id

packages/azure/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.26.1"
+  changes:
+    - description: Fix bug in handling of conditional_access_audience field in signinlogs data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14195
 - version: "1.26.0"
   changes:
     - description: Standardize user fields for identity_protection and signinlogs data stream.

packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log

@@ -1,2 +1,3 @@
 {"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"[email protected]"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
-{"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","additionalDetails":"MFA required"},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","additionalDetails":"MFA required"},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":"4","callerIpAddress":"81.2.69.144","category":"NonInteractiveUserSignInLogs","correlationId":"7532b99a-06da-4c23-91e5-0f062bc0dcb3","durationMs":0,"identity":"elastic testing","location":"US","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"agent":{"agentType":"notAgentic","parentAppId":""},"appDisplayName":"Azure Portal","appId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","appOwnerTenantId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","appServicePrincipalId":null,"appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":3,"displayName":"Require multifactor authentication for all users","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"c44b4083-3bb0-49c1-b47d-974e53cbdf3c","result":"success"}],"authenticationContextClassReferences":[],"authenticationDetails":[{"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2025-06-10T19:51:04.8059493+00:00","authenticationStepRequirement":"Default Strength","authenticationStepResultDetail":"MFA requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Legacy TLS (TLS 1.0, 1.1, 3DES)","value":"False"},{"key":"Oauth Scope Info","value":"[\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"User.Read\"]"},{"key":"Is CAE Token","value":"False"}],"authenticationProtocol":"none","authenticationRequirement":"multiFactorAuthentication","authenticationRequirementPolicies":[{"detail":"Conditional Access","requirementProvider":"multiConditionalAccess"},{"detail":"Authentication Strength(s)","requirementProvider":"authenticationStrengths"}],"authenticationStrengths":["Default Strength"],"autonomousSystemNumber":701,"clientAppUsed":"Browser","clientCredentialType":"none","conditionalAccessAudiences":["665694e7-26fc-4216-bf7e-e5adddc7a2bf"],"conditionalAccessStatus":"success","correlationId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","createdDateTime":"2025-06-10T19:51:04.8059493+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Chrome 137.0.0","deviceId":"","operatingSystem":"MacOs"},"flaggedForReview":false,"homeTenantId":"4bbb79f7-5724-4c9e-95f3-de075f6ec090","id":"4bbb79f7-5724-4c9e-95f3-de075f6ec090","incomingTokenType":"refreshToken","ipAddress":"81.2.69.144","isInteractive":false,"isTenantRestricted":false,"isThroughGlobalSecureAccess":false,"location":{"city":"Nizampet","state":"Telangana","countryOrRegion":"IN","geoCoordinates":{"latitude":17.5164794921875,"longitude":78.376632690429688}},"mfaDetail":{},"networkLocationDetails":[],"originalRequestId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","originalTransferMethod":"none","privateLinkDetails":{},"processingTimeInMilliseconds":79,"resourceDisplayName":"Azure Portal","resourceId":"797f4846-ba00-4fd7-ba43-dac1f8f63013","resourceOwnerTenantId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","resourceServicePrincipalId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","resourceTenantId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","rngcStatus":0,"servicePrincipalId":"","sessionId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","sessionLifetimePolicies":[],"signInTokenProtectionStatus":"none","ssoExtensionVersion":"","status":{"additionalDetails":"MFA requirement satisfied by claim in the token","errorCode":0},"tenantId":"6cb7db5b-fc26-4548-8eae-ca52f13810d4","tokenIssuerName":"","tokenIssuerType":"AzureAD","tokenProtectionStatusDetails":{"signInSessionStatus":"unbound","signInSessionStatusCode":1002},"uniqueTokenIdentifier":"OTMzZjIwYzAtZWZkZi00NzdmLTk1ODYtZTVjYzY3NmYyZTAw","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36","userDisplayName":"Elastic Test","userId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","userPrincipalName":"[email protected]","userType":"Member"},"resourceId":"/tenants/665694e7-26fc-4216-bf7e-e5adddc7a2bf/providers/Microsoft.aadiam","resultSignature":"SUCCESS","resultType":"0","tenantId":"797f4846-ba00-4fd7-ba43-dac1f8f63013","time":"2025-06-10T19:52:50.4512146Z"}