Password Reset on Entra Connector Account
09 AAD Prov Password Reset Sync Account
Query
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName has_any (
"Reset user password",
"Reset password (by admin)",
"Reset password",
"Change user password",
"Update user",
"Update StsRefreshTokenValidFrom Timestamp"
)
| mv-expand TargetResources
| extend TargetUpn = tostring(TargetResources.userPrincipalName)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| extend Actor = coalesce(Initiator, tostring(InitiatedBy.app.displayName))
| extend SourceIP = tostring(InitiatedBy.user.ipAddress)
| where TargetUpn startswith "Sync_"
or TargetUpn contains "DirSync"
or TargetUpn has "On-Premises Directory Synchronization"
or tostring(TargetResources.displayName) has "On-Premises Directory Synchronization Service Account"
| project TimeGenerated, OperationName, Actor, SourceIP, TargetUpn,
ModifiedProperties = tostring(TargetResources.modifiedProperties), Result
| order by TimeGenerated descExplanation
This query is designed to detect password reset events on specific service accounts related to directory synchronization in Azure Active Directory. Here's a simplified breakdown:
-
Purpose: The query identifies password reset activities on accounts used for directory synchronization, which are critical for maintaining the connection between on-premises directories and Azure AD. These accounts typically have names starting with "Sync_" or contain "DirSync".
-
Why It's Important: A password reset on these accounts could indicate either a legitimate maintenance activity or a potential security threat where an attacker is trying to gain control. Therefore, any such event needs to be verified by the Security Operations Center (SOC).
-
Data Source: The query uses data from Azure Active Directory's AuditLogs, focusing on events related to password resets and user updates.
-
Frequency and Scope: The query runs every hour and looks back over the past day to catch any relevant events.
-
Severity and Tactics: The alert generated by this query is considered high severity, as it relates to persistence and privilege escalation tactics, which are part of the MITRE ATT&CK framework.
-
Details Captured: For each event, the query captures details such as the time of the event, the operation performed, the actor (who initiated the action), the source IP address, and the target account.
-
Alerting and Incident Management: If any such event is detected, an alert is generated with specific details about the operation and the involved accounts. The system is configured to create an incident for further investigation, grouping related alerts to streamline the response process.
Overall, this query is a proactive measure to ensure that any changes to critical synchronization accounts are legitimate and authorized, helping to prevent unauthorized access and potential security breaches.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d