Query Details

Stale Token Used After Password Change or Auth Method Update

10 Stale Token After Password Change

Query

let PasswordChanges =
    AuditLogs
    | where TimeGenerated > ago(24h)
    | where OperationName has_any (
        "Reset password",
        "Change password",
        "User changed password",
        "Admin updated user authentication method",
        "Update Authentication Method",
        "Delete Authentication Method"
      )
    | extend UPN = tostring(TargetResources[0].userPrincipalName)
    | where isnotempty(UPN)
    | summarize ChangeTime = max(TimeGenerated) by UPN;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| join kind=inner PasswordChanges on $left.UserPrincipalName == $right.UPN
| where TimeGenerated > ChangeTime
| summarize
    TokensAfterChange = count(),
    IPs               = make_set(IPAddress),
    Countries         = make_set(Location),
    Apps              = make_set(AppDisplayName),
    LastSeen          = max(TimeGenerated),
    FirstTokenAfter   = min(TimeGenerated)
  by UserPrincipalName, ChangeTime
| extend IPAddress = tostring(IPs[0])
| order by TokensAfterChange desc

Explanation

This query is designed to detect potential security threats in Azure Active Directory (Azure AD) by identifying instances where a user's password or authentication method has been changed, but non-interactive token refreshes continue to occur afterward. This situation suggests that an attacker might have a refresh token that remains valid even after the password change, allowing them to maintain access.

Here's a simplified breakdown of the query:

  1. Purpose: To identify if an attacker is using a stale refresh token to access an account after the user's credentials have been updated.

  2. Data Sources: It uses data from Azure AD's Audit Logs and Non-Interactive User Sign-In Logs.

  3. Process:

    • It first checks for any password or authentication method changes within the last 24 hours.
    • It then looks for non-interactive sign-ins (token refreshes) that occur after these changes.
    • If such sign-ins are found, it indicates that a refresh token is being used despite the credential update.
  4. Severity: The alert is marked as high severity because it suggests a potential security breach.

  5. MITRE ATT&CK Techniques: It relates to techniques T1528 (Steal Application Access Token) and T1078 (Valid Accounts).

  6. Alert Details: If such activity is detected, an alert is generated with details about the user, the number of token refreshes, IP addresses, countries, and applications involved.

  7. Incident Management: The query is set to create an incident if such activity is detected, allowing for further investigation and response.

Overall, this query helps in threat hunting by identifying suspicious activity that could indicate an attacker is bypassing security measures to maintain unauthorized access to an account.

Details

David Alonso profile picture

David Alonso

Released: June 12, 2026

Tables

AADNonInteractiveUserSignInLogsAuditLogs

Keywords

AzureActiveDirectoryAuditLogsAADNonInteractiveUserSignInLogsUserAccountIPAddressLocationAppDisplayNameTokenPasswordAuthenticationMethod

Operators

lethas_anytostringisnotemptysummarizeagowherejoinonextendcountmake_setmaxminorder bydesc

Severity

High

Tactics

PersistenceCredentialAccessDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: PT24H

Actions

GitHub