Stale Token Used After Password Change or Auth Method Update
10 Stale Token After Password Change
Query
let PasswordChanges =
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any (
"Reset password",
"Change password",
"User changed password",
"Admin updated user authentication method",
"Update Authentication Method",
"Delete Authentication Method"
)
| extend UPN = tostring(TargetResources[0].userPrincipalName)
| where isnotempty(UPN)
| summarize ChangeTime = max(TimeGenerated) by UPN;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| join kind=inner PasswordChanges on $left.UserPrincipalName == $right.UPN
| where TimeGenerated > ChangeTime
| summarize
TokensAfterChange = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
LastSeen = max(TimeGenerated),
FirstTokenAfter = min(TimeGenerated)
by UserPrincipalName, ChangeTime
| extend IPAddress = tostring(IPs[0])
| order by TokensAfterChange descExplanation
This query is designed to detect potential security threats in Azure Active Directory (Azure AD) by identifying instances where a user's password or authentication method has been changed, but non-interactive token refreshes continue to occur afterward. This situation suggests that an attacker might have a refresh token that remains valid even after the password change, allowing them to maintain access.
Here's a simplified breakdown of the query:
-
Purpose: To identify if an attacker is using a stale refresh token to access an account after the user's credentials have been updated.
-
Data Sources: It uses data from Azure AD's Audit Logs and Non-Interactive User Sign-In Logs.
-
Process:
- It first checks for any password or authentication method changes within the last 24 hours.
- It then looks for non-interactive sign-ins (token refreshes) that occur after these changes.
- If such sign-ins are found, it indicates that a refresh token is being used despite the credential update.
-
Severity: The alert is marked as high severity because it suggests a potential security breach.
-
MITRE ATT&CK Techniques: It relates to techniques T1528 (Steal Application Access Token) and T1078 (Valid Accounts).
-
Alert Details: If such activity is detected, an alert is generated with details about the user, the number of token refreshes, IP addresses, countries, and applications involved.
-
Incident Management: The query is set to create an incident if such activity is detected, allowing for further investigation and response.
Overall, this query helps in threat hunting by identifying suspicious activity that could indicate an attacker is bypassing security measures to maintain unauthorized access to an account.
Details

David Alonso
Released: June 12, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT24H