TAP Added to Entra Connector Account (Backdoor)
08 AAD Prov TAP On Sync Account
Query
// Sync accounts known via IdentityInfo (UEBA) - degrade to naming pattern if not available
let SyncAccounts =
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles has_any (
"Directory Synchronization Accounts",
"On Premises Directory Sync Account"
)
or AccountUPN startswith "Sync_"
or AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| project AccountUPN, AccountObjectId, AccountDisplayName;
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName has_any (
"Admin registered security info",
"Register security info",
"Create temporary access pass",
"Issue temporary access pass",
"Admin Issued Temporary Access Pass",
"User registered security info"
)
| mv-expand TargetResources
| extend TargetUpn = tostring(TargetResources.userPrincipalName)
| extend TargetId = tostring(TargetResources.id)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| extend Actor = coalesce(Initiator, tostring(InitiatedBy.app.displayName))
| extend SourceIP = tostring(InitiatedBy.user.ipAddress)
// Match by UPN or ObjectId OR by naming heuristic (works even without IdentityInfo)
| where TargetUpn in~ (SyncAccounts | project AccountUPN)
or TargetId in (SyncAccounts | project AccountObjectId)
or TargetUpn startswith "Sync_"
or TargetUpn contains "DirSync"
or TargetUpn has "On-Premises Directory Synchronization"
| project TimeGenerated, OperationName, Actor, SourceIP, TargetUpn, TargetResources, Result
| order by TimeGenerated descExplanation
This query is designed to detect suspicious activity involving the issuance of a Temporary Access Pass (TAP) to certain user accounts in a Microsoft Azure environment. Here's a simple breakdown of what it does:
-
Purpose: The query aims to identify when a TAP is issued to accounts that are either part of the "Directory Synchronization Accounts" role or have names that match a specific pattern (like "Sync_*"). Such actions are considered highly suspicious because issuing a TAP to these accounts is not a normal operation and could indicate a potential security breach or backdoor access.
-
Severity: The alert generated by this query is marked as "High" severity, indicating that it is a critical security concern.
-
Data Source: It uses data from Azure Active Directory's Audit Logs to track activities related to TAP issuance and security info registration.
-
Detection Logic:
- It first identifies accounts that are part of the directory synchronization roles or have names suggesting they are sync accounts.
- It then checks the audit logs for any TAP-related operations performed on these accounts within the last day.
- If such operations are found, it captures details like the time of the operation, the operation name, the actor (who performed the action), the source IP address, and the target account.
-
Alerting: If any suspicious TAP issuance is detected, an alert is generated. The alert includes details about the operation, the actor, and the target account, and it is formatted to highlight the potential backdoor access.
-
Incident Management: The query is configured to create incidents for detected activities, allowing for grouping of related alerts to manage and investigate them efficiently.
Overall, this query helps security teams monitor and respond to potential unauthorized access attempts involving critical synchronization accounts in their Azure environment.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d