Query Details

ROPC Authentication Against Privileged User

25 ROPC Privileged User

Query

let LegitRopcApps = dynamic([
    "Microsoft Authentication Broker",
    "Microsoft Intune Company Portal",
    "Azure AD Connect",
    "Microsoft Office",
    "Microsoft Office Authentication Broker"
]);
let PrivUsers =
    IdentityInfo
    | where TimeGenerated > ago(14d)
    | where isnotempty(AssignedRoles)
    | summarize arg_max(TimeGenerated, AssignedRoles) by AccountUPN
    | extend Upn = tolower(AccountUPN)
    | project Upn, AssignedRoles;
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| extend Upn = tolower(UserPrincipalName)
| join kind=inner PrivUsers on Upn
| summarize
    Count     = count(),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location),
    Apps      = make_set(AppDisplayName),
    Roles     = any(AssignedRoles),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count desc

Explanation

This query is designed to detect potentially suspicious sign-in activities involving privileged user accounts in an organization's Azure Active Directory (Entra ID). Here's a simplified breakdown:

  1. Purpose: The query identifies successful sign-ins using the Resource Owner Password Credentials (ROPC) method for accounts with privileged roles. ROPC is a non-interactive authentication method that bypasses Multi-Factor Authentication (MFA) and Conditional Access policies, making it a potential security risk if used by high-privilege accounts.

  2. Trigger: It looks for any successful ROPC sign-in (where ResultType == 0) within the last 14 days for users who have been assigned privileged roles.

  3. Exclusions: Known legitimate ROPC applications (like Microsoft Office and Azure AD Connect) are excluded from triggering alerts.

  4. Data Sources: The query uses data from Azure Active Directory sign-in logs and behavior analytics to identify privileged users and their roles.

  5. Severity: The alert generated by this query is considered high severity due to the potential risk of account takeover.

  6. Alert Details: If a suspicious ROPC sign-in is detected, an alert is generated with details such as the number of sign-ins, IP addresses, countries, applications used, and roles assigned to the user.

  7. Incident Management: The system is configured to create incidents for these alerts, grouping them by user account to manage and investigate potential security breaches effectively.

  8. MITRE ATT&CK Techniques: The query is aligned with techniques T1078 (Cloud Accounts) and T1098 (Account Manipulation), which are part of the MITRE ATT&CK framework for understanding adversary behavior.

Overall, this query helps security teams monitor and respond to unauthorized access attempts on privileged accounts, which could indicate an account takeover attempt.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogsIdentityInfo

Keywords

AzureActiveDirectoryBehaviorAnalyticsIdentityInfoAADNonInteractiveUserSignInLogsMicrosoftAuthenticationBrokerMicrosoftIntuneCompanyPortalAzureADConnectMicrosoftOfficeMicrosoftOfficeAuthenticationBrokerUserPrincipalNameIPAddressAccountUPNAssignedRoles

Operators

letdynamicwhereisnotemptysummarizearg_maxbyextendtolowerprojectinvoke=~==!in~joinkind=innermake_setanyminmaxtostringorder bydesc

Severity

High

Tactics

CredentialAccessPrivilegeEscalation

MITRE Techniques

Frequency: 1h

Period: 14d

Actions

GitHub