Query Details

ROPC Authentication Detected - Credential Pass-Through Bypass

06 ROPC Authentication Detected

Query

let LegitRopcApps = dynamic([
    "Microsoft Authentication Broker",
    "Microsoft Intune Company Portal",
    "Azure AD Connect",
    "Microsoft Office",
    "Microsoft Office Authentication Broker"
]);
let LegitRopcUsers = dynamic([]);
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| where tolower(UserPrincipalName) !in~ (LegitRopcUsers)
| summarize
    Count     = count(),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location),
    Apps      = make_set(AppDisplayName),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count desc

Explanation

This query is designed to detect suspicious use of the Resource Owner Password Credential (ROPC) grant flow in non-interactive sign-ins within an organization's Azure Active Directory (AAD). Here's a simplified breakdown:

  1. Purpose: The query identifies instances where user credentials are passed directly to AAD, bypassing Multi-Factor Authentication (MFA) and other security controls. This behavior is unusual and could indicate a misconfigured application or an attacker using stolen credentials.

  2. Detection Criteria:

    • It looks for successful ROPC authentications (ResultType == 0).
    • It excludes known legitimate applications and users from the analysis using predefined allowlists (LegitRopcApps and LegitRopcUsers).
    • It filters out IP addresses that are on a predefined allowlist.
  3. Data Source: The query uses logs from AADNonInteractiveUserSignInLogs.

  4. Output:

    • It summarizes the data by counting occurrences, listing IP addresses, countries, and applications involved, and noting the first and last time the activity was seen.
    • Results are ordered by the number of occurrences.
  5. Alerting:

    • If any suspicious activity is detected, an alert is generated with details about the user, number of sign-ins, and countries involved.
    • The alert suggests verifying whether the activity is from an authorized legacy app or if it requires investigation for potential credential stuffing.
  6. Severity and Response:

    • The severity of this detection is marked as high.
    • An incident is created for each detection, and similar alerts are grouped together for easier management.

Overall, this query helps security teams identify and respond to potential security risks associated with improper use of ROPC authentication in their environment.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsUserPrincipalNameIPAddressAppDisplayNameTimeGeneratedLocation

Operators

letdynamicinvokewhere=~==!in~tolowersummarizecountmake_setminmaxbyextendtostringorder by

Severity

High

Tactics

CredentialAccessDefenseEvasionInitialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub