Query Details

ROPC Authentication Detected - Credential Pass-Through Bypass

06 ROPC Authentication Detected

Query

let LegitRopcApps = dynamic([
    "Microsoft Authentication Broker",
    "Microsoft Intune Company Portal",
    "Azure AD Connect",
    "Microsoft Office",
    "Microsoft Office Authentication Broker"
]);
let LegitRopcUsers = dynamic([]);
// ROPC surfaces in SigninLogs more often than the non-interactive table; correlate both.
// MinSuccessfulSignIns filters the trickle of legit/legacy ROPC; lower to 1 for max sensitivity.
let MinSuccessfulSignIns = 3;
let RopcSignIns =
    union isfuzzy=true
        (SigninLogs
            | where TimeGenerated > ago(1h)
            | where AuthenticationProtocol =~ "ropc"
            | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType),
        (AADNonInteractiveUserSignInLogs
            | where TimeGenerated > ago(1h)
            | where AuthenticationProtocol =~ "ropc"
            | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType);
RopcSignIns
| invoke ExcludeAllowlistedIPs_AADNI()
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| where tolower(UserPrincipalName) !in~ (LegitRopcUsers)
| summarize
    Count     = count(),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location),
    Apps      = make_set(AppDisplayName),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName
| where Count >= MinSuccessfulSignIns
| extend IPAddress = tostring(IPs[0])
| order by Count desc

Explanation

This query is designed to detect potentially risky authentication activities using the Resource Owner Password Credential (ROPC) grant flow in Azure Active Directory. Here's a simple breakdown:

  1. Purpose: The query identifies successful ROPC sign-ins, which bypass Multi-Factor Authentication (MFA) and Conditional Access policies. This can indicate either a misconfigured legacy application or an attacker using stolen credentials.

  2. Data Sources: It analyzes data from two sources: SigninLogs (for interactive sign-ins) and AADNonInteractiveUserSignInLogs (for non-interactive sign-ins).

  3. Filtering:

    • It focuses on successful ROPC sign-ins (ResultType == 0).
    • It excludes known legitimate applications and users from the analysis using predefined allowlists (LegitRopcApps and LegitRopcUsers).
    • It removes sign-ins from allowlisted IP addresses.
  4. Threshold: The query alerts only if there are three or more successful ROPC sign-ins from the same user within the last hour, which helps filter out occasional legitimate uses.

  5. Output: The query summarizes the results by user, showing the number of sign-ins, associated IP addresses, countries, and applications involved. It orders the results by the number of sign-ins.

  6. Alerting: If the conditions are met, an alert is generated with details about the user and the nature of the sign-ins, highlighting the potential risk of MFA bypass.

  7. Incident Management: The query is configured to create incidents for further investigation, grouping alerts by user account to manage related events efficiently.

Overall, this query helps security teams monitor and respond to suspicious ROPC authentication activities that could indicate security threats.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

ResourceOwnerPasswordCredentialSigninLogsAADNonInteractiveUserSignInEntraIDMFAConditionalAccessMicrosoftAuthenticationBrokerIntuneCompanyPortalAzureADConnectOfficePrincipalNameIPAddressLocationAppDisplayNetworkAllowlistMITREATTCKDefenseEvasionInitial

Operators

letdynamicunionisfuzzywhere=~projectinvoke!in~tolowersummarizecountmake_setminmaxbyextendtostringorder by

Severity

High

Tactics

CredentialAccessDefenseEvasionInitialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub