KQL Search

Query Details

25 ROPC Privileged User

Query

id: b2c3d4e5-f6a7-8b9c-0d1e-2f3a4b5c6d7e
name: ROPC Authentication Against Privileged User
version: 1.0.0
kind: Scheduled
description: |
  Detects a successful ROPC (password-grant) sign-in for any account holding a
  privileged Entra ID role. Privileged users should authenticate via interactive flows
  that honour MFA / Conditional Access. A ROPC sign-in by a Global Administrator,
  Privileged Role Administrator, Security Administrator (etc.) is a credible
  account-takeover indicator and should be treated as high severity.

  Trigger: any successful ROPC sign-in (ResultType == 0) where the UPN appears in
  IdentityInfo.AssignedRoles within the last 14 days.

  Tuning:
    - LegitRopcApps suppresses known-good ROPC clients.
    - Requires UEBA / IdentityInfo to be populated. If you have a custom privileged-user
      watchlist, replace the PrivUsers CTE with a watchlist lookup.
  MITRE ATT&CK: T1078.004 (Cloud Accounts), T1098 (Account Manipulation)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
  - connectorId: BehaviorAnalytics
    dataTypes:
      - IdentityInfo
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - PrivilegeEscalation
relevantTechniques:
  - T1078
  - T1098
query: |
  let LegitRopcApps = dynamic([
      "Microsoft Authentication Broker",
      "Microsoft Intune Company Portal",
      "Azure AD Connect",
      "Microsoft Office",
      "Microsoft Office Authentication Broker"
  ]);
  let PrivUsers =
      IdentityInfo
      | where TimeGenerated > ago(14d)
      | where isnotempty(AssignedRoles)
      | summarize arg_max(TimeGenerated, AssignedRoles) by AccountUPN
      | extend Upn = tolower(AccountUPN)
      | project Upn, AssignedRoles;
  AADNonInteractiveUserSignInLogs
  | invoke ExcludeAllowlistedIPs_AADNI()
  | where TimeGenerated > ago(1h)
  | where AuthenticationProtocol =~ "ropc"
  | where ResultType == 0
  | where AppDisplayName !in~ (LegitRopcApps)
  | extend Upn = tolower(UserPrincipalName)
  | join kind=inner PrivUsers on Upn
  | summarize
      Count     = count(),
      IPs       = make_set(IPAddress),
      Countries = make_set(Location),
      Apps      = make_set(AppDisplayName),
      Roles     = any(AssignedRoles),
      FirstSeen = min(TimeGenerated),
      LastSeen  = max(TimeGenerated)
    by UserPrincipalName
  | extend IPAddress = tostring(IPs[0])
  | order by Count desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  SignInCount: Count
  AssignedRoles: Roles
  Countries: Countries
  Apps: Apps
alertDetailsOverride:
  alertDisplayNameFormat: "ROPC Sign-In by Privileged User {{UserPrincipalName}}"
  alertDescriptionFormat: "Privileged user {{UserPrincipalName}} authenticated via ROPC ({{Count}} sign-ins from {{Countries}}). ROPC bypasses MFA. Treat as suspected account takeover until proven otherwise."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially suspicious sign-in activities involving privileged user accounts in an organization's Azure Active Directory (Entra ID). Here's a simplified breakdown:

  1. Purpose: The query identifies successful sign-ins using the Resource Owner Password Credentials (ROPC) method for accounts with privileged roles. ROPC is a non-interactive authentication method that bypasses Multi-Factor Authentication (MFA) and Conditional Access policies, making it a potential security risk if used by high-privilege accounts.

  2. Trigger: It looks for any successful ROPC sign-in (where ResultType == 0) within the last 14 days for users who have been assigned privileged roles.

  3. Exclusions: Known legitimate ROPC applications (like Microsoft Office and Azure AD Connect) are excluded from triggering alerts.

  4. Data Sources: The query uses data from Azure Active Directory sign-in logs and behavior analytics to identify privileged users and their roles.

  5. Severity: The alert generated by this query is considered high severity due to the potential risk of account takeover.

  6. Alert Details: If a suspicious ROPC sign-in is detected, an alert is generated with details such as the number of sign-ins, IP addresses, countries, applications used, and roles assigned to the user.

  7. Incident Management: The system is configured to create incidents for these alerts, grouping them by user account to manage and investigate potential security breaches effectively.

  8. MITRE ATT&CK Techniques: The query is aligned with techniques T1078 (Cloud Accounts) and T1098 (Account Manipulation), which are part of the MITRE ATT&CK framework for understanding adversary behavior.

Overall, this query helps security teams monitor and respond to unauthorized access attempts on privileged accounts, which could indicate an account takeover attempt.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogsIdentityInfo

Keywords

AzureActiveDirectoryBehaviorAnalyticsIdentityInfoAADNonInteractiveUserSignInLogsMicrosoftAuthenticationBrokerMicrosoftIntuneCompanyPortalAzureADConnectMicrosoftOfficeMicrosoftOfficeAuthenticationBrokerUserPrincipalNameIPAddressAccountUPNAssignedRoles

Operators

letdynamicwhereisnotemptysummarizearg_maxbyextendtolowerprojectinvoke=~==!in~joinkind=innermake_setanyminmaxtostringorder bydesc

Actions