ADFS Stale Token Use After Password Change or Reset
13 ADFS Stale Token After Password Change
Query
let PasswordChanges =
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName has_any (
"Reset password", "Change password", "Update user",
"User changed password",
"Admin updated user authentication method",
"Update Authentication Method",
"Delete Authentication Method"
)
| extend UPN = tostring(TargetResources[0].userPrincipalName)
| where isnotempty(UPN)
| summarize ChangeTime = max(TimeGenerated) by UPN;
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| join kind=inner PasswordChanges on $left.UserPrincipalName == $right.UPN
| where TimeGenerated > ChangeTime
| summarize
TokensAfterChange = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
Protocols = make_set(AuthenticationRequirement),
LastSeen = max(TimeGenerated),
FirstTokenAfter = min(TimeGenerated)
by UserPrincipalName, ChangeTime
| order by TokensAfterChange descExplanation
This query is designed to detect a security issue where tokens are issued by Active Directory Federation Services (ADFS) for a user even after their password has been changed or reset in Azure Active Directory (Azure AD). This situation can occur if an attacker has a cloned ADFS token signing certificate or a session cookie, allowing them to maintain access despite a password change.
Here's a simple breakdown of what the query does:
-
Collect Password Changes: It first gathers data on password changes or resets from the last day by looking at Azure AD audit logs. It identifies users whose passwords have been changed or reset.
-
Check ADFS Sign-Ins: It then checks ADFS sign-in logs for the same period to see if any tokens were issued to these users after their password change.
-
Correlate Data: The query correlates the password change events with subsequent ADFS sign-in activities to identify cases where tokens were issued after a password change.
-
Alert on Suspicious Activity: If tokens are issued after a password change, it raises an alert, indicating potential misuse of credentials, possibly due to a "Golden SAML" attack where an attacker uses a forged token.
-
Details and Severity: The alert includes details like the number of tokens issued, IP addresses, locations, applications accessed, and the protocols used. The severity of this alert is marked as high due to the potential security risk.
-
Incident Management: The query is set to create incidents for detected cases, allowing security teams to investigate and respond to these potential security breaches.
Overall, this query helps in identifying and alerting on potential security threats related to unauthorized access through stale tokens in an ADFS environment.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d