08 AAD Prov TAP On Sync Account

id: 9b1a0008-1008-4108-9108-aadprov00008 name: TAP Added to Entra Connector Account (Backdoor) version: 1.0.0 kind: Scheduled description: | Detects Temporary Access Pass (TAP) issuance against a user account that is either (a) a member of the `Directory Synchronization Accounts` role (per `IdentityInfo`), or (b) matches the Entra Connector account naming pattern (`Sync_*` / `On-Premises Directory Synchronization Service Account`). TAP issuance against a sync account is **never legitimate** under normal operations - it is the documented stealth backdoor for sync-account takeover (Cloud-Architekt playbook). MITRE ATT&CK: T1098.001 (Account Manipulation: Additional Cloud Credentials), T1078.004 (Valid Accounts: Cloud Accounts), T1556 (Modify Authentication Process). severity: High requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - AuditLogs queryFrequency: 1h queryPeriod: 1d triggerOperator: gt triggerThreshold: 0 tactics: - Persistence - PrivilegeEscalation relevantTechniques: - T1098 - T1556 query: | // Sync accounts known via IdentityInfo (UEBA) - degrade to naming pattern if not available let SyncAccounts = IdentityInfo | where TimeGenerated > ago(14d) | summarize arg_max(TimeGenerated, *) by AccountUPN | where AssignedRoles has_any ( "Directory Synchronization Accounts", "On Premises Directory Sync Account" ) or AccountUPN startswith "Sync_" or AccountDisplayName has "On-Premises Directory Synchronization Service Account" | project AccountUPN, AccountObjectId, AccountDisplayName; AuditLogs | where TimeGenerated > ago(1d) | where OperationName has_any ( "Admin registered security info", "Register security info", "Create temporary access pass", "Issue temporary access pass", "Admin Issued Temporary Access Pass", "User registered security info" ) | mv-expand TargetResources | extend TargetUpn = tostring(TargetResources.userPrincipalName) | extend TargetId = tostring(TargetResources.id) | extend Initiator = tostring(InitiatedBy.user.userPrincipalName) | extend Actor = coalesce(Initiator, tostring(InitiatedBy.app.displayName)) | extend SourceIP = tostring(InitiatedBy.user.ipAddress) // Match by UPN or ObjectId OR by naming heuristic (works even without IdentityInfo) | where TargetUpn in~ (SyncAccounts | project AccountUPN) or TargetId in (SyncAccounts | project AccountObjectId) or TargetUpn startswith "Sync_" or TargetUpn contains "DirSync" or TargetUpn has "On-Premises Directory Synchronization" | project TimeGenerated, OperationName, Actor, SourceIP, TargetUpn, TargetResources, Result | order by TimeGenerated desc entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: TargetUpn - entityType: Account fieldMappings: - identifier: FullName columnName: Actor - entityType: IP fieldMappings: - identifier: Address columnName: SourceIP customDetails: Operation: OperationName Actor: Actor Target: TargetUpn alertDetailsOverride: alertDisplayNameFormat: "TAP / security-info change on sync account {{TargetUpn}}" alertDescriptionFormat: "{{OperationName}} performed by {{Actor}} against Entra Connector account {{TargetUpn}}. TAP on sync accounts is the documented stealth backdoor." alertSeverityColumnName: "" alertTacticsColumnName: "" incidentConfiguration: createIncident: true groupingConfiguration: enabled: true reopenClosedIncident: false lookbackDuration: PT24H matchingMethod: AnyAlert groupByEntities: - Account groupByAlertDetails: [] groupByCustomDetails: []

Explanation

This query is designed to detect suspicious activity involving the issuance of a Temporary Access Pass (TAP) to certain user accounts in a Microsoft Azure environment. Here's a simple breakdown of what it does:

Purpose: The query aims to identify when a TAP is issued to accounts that are either part of the "Directory Synchronization Accounts" role or have names that match a specific pattern (like "Sync_*"). Such actions are considered highly suspicious because issuing a TAP to these accounts is not a normal operation and could indicate a potential security breach or backdoor access.
Severity: The alert generated by this query is marked as "High" severity, indicating that it is a critical security concern.
Data Source: It uses data from Azure Active Directory's Audit Logs to track activities related to TAP issuance and security info registration.
Detection Logic:
- It first identifies accounts that are part of the directory synchronization roles or have names suggesting they are sync accounts.
- It then checks the audit logs for any TAP-related operations performed on these accounts within the last day.
- If such operations are found, it captures details like the time of the operation, the operation name, the actor (who performed the action), the source IP address, and the target account.
Alerting: If any suspicious TAP issuance is detected, an alert is generated. The alert includes details about the operation, the actor, and the target account, and it is formatted to highlight the potential backdoor access.
Incident Management: The query is configured to create incidents for detected activities, allowing for grouping of related alerts to manage and investigate them efficiently.

Overall, this query helps security teams monitor and respond to potential unauthorized access attempts involving critical synchronization accounts in their Azure environment.

Details

David Alonso

Released: June 1, 2026

Tables

IdentityInfoAuditLogs

Keywords

AzureActiveDirectoryAuditLogsIdentityInfoAccountIPUserSecurityInfoTemporaryAccessPassDirectorySynchronizationEntraConnector

Operators

letwhereagosummarizearg_maxbyhas_anystartswithprojectmv-expandextendtostringcoalescein~incontainsorder bydesc

KQL Search