ROPC Authentication Against Privileged User
25 ROPC Privileged User
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
let PrivUsers =
IdentityInfo
| where TimeGenerated > ago(14d)
| where isnotempty(AssignedRoles)
| summarize arg_max(TimeGenerated, AssignedRoles) by AccountUPN
| extend Upn = tolower(AccountUPN)
| project Upn, AssignedRoles;
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| extend Upn = tolower(UserPrincipalName)
| join kind=inner PrivUsers on Upn
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
Roles = any(AssignedRoles),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect potentially suspicious sign-in activities involving privileged user accounts in an organization's Azure Active Directory (Entra ID). Here's a simplified breakdown:
-
Purpose: The query identifies successful sign-ins using the Resource Owner Password Credentials (ROPC) method for accounts with privileged roles. ROPC is a non-interactive authentication method that bypasses Multi-Factor Authentication (MFA) and Conditional Access policies, making it a potential security risk if used by high-privilege accounts.
-
Trigger: It looks for any successful ROPC sign-in (where
ResultType == 0) within the last 14 days for users who have been assigned privileged roles. -
Exclusions: Known legitimate ROPC applications (like Microsoft Office and Azure AD Connect) are excluded from triggering alerts.
-
Data Sources: The query uses data from Azure Active Directory sign-in logs and behavior analytics to identify privileged users and their roles.
-
Severity: The alert generated by this query is considered high severity due to the potential risk of account takeover.
-
Alert Details: If a suspicious ROPC sign-in is detected, an alert is generated with details such as the number of sign-ins, IP addresses, countries, applications used, and roles assigned to the user.
-
Incident Management: The system is configured to create incidents for these alerts, grouping them by user account to manage and investigate potential security breaches effectively.
-
MITRE ATT&CK Techniques: The query is aligned with techniques T1078 (Cloud Accounts) and T1098 (Account Manipulation), which are part of the MITRE ATT&CK framework for understanding adversary behavior.
Overall, this query helps security teams monitor and respond to unauthorized access attempts on privileged accounts, which could indicate an account takeover attempt.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 14d