ROPC Authentication Detected - Credential Pass-Through Bypass
06 ROPC Authentication Detected
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
let LegitRopcUsers = dynamic([]);
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| where tolower(UserPrincipalName) !in~ (LegitRopcUsers)
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect suspicious use of the Resource Owner Password Credential (ROPC) grant flow in non-interactive sign-ins within an organization's Azure Active Directory (AAD). Here's a simplified breakdown:
-
Purpose: The query identifies instances where user credentials are passed directly to AAD, bypassing Multi-Factor Authentication (MFA) and other security controls. This behavior is unusual and could indicate a misconfigured application or an attacker using stolen credentials.
-
Detection Criteria:
- It looks for successful ROPC authentications (ResultType == 0).
- It excludes known legitimate applications and users from the analysis using predefined allowlists (
LegitRopcAppsandLegitRopcUsers). - It filters out IP addresses that are on a predefined allowlist.
-
Data Source: The query uses logs from
AADNonInteractiveUserSignInLogs. -
Output:
- It summarizes the data by counting occurrences, listing IP addresses, countries, and applications involved, and noting the first and last time the activity was seen.
- Results are ordered by the number of occurrences.
-
Alerting:
- If any suspicious activity is detected, an alert is generated with details about the user, number of sign-ins, and countries involved.
- The alert suggests verifying whether the activity is from an authorized legacy app or if it requires investigation for potential credential stuffing.
-
Severity and Response:
- The severity of this detection is marked as high.
- An incident is created for each detection, and similar alerts are grouped together for easier management.
Overall, this query helps security teams identify and respond to potential security risks associated with improper use of ROPC authentication in their environment.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h