ROPC Authentication Against Dormant Account
27 ROPC Dormant Account
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
let LegitRopcUsers = dynamic([]);
let Active =
union isfuzzy=true
(SigninLogs
| where TimeGenerated between (ago(30d) .. ago(1h))),
(AADNonInteractiveUserSignInLogs
| where TimeGenerated between (ago(30d) .. ago(1h)))
| where ResultType == 0
| distinct Upn = tolower(UserPrincipalName);
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| extend Upn = tolower(UserPrincipalName)
| where Upn !in (LegitRopcUsers)
| where Upn !in (Active)
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect suspicious activity involving dormant accounts in an Azure Active Directory environment. Here's a simplified explanation:
-
Purpose: The query identifies successful Resource Owner Password Credential (ROPC) sign-ins for accounts that haven't had any successful interactive or non-interactive sign-ins in the past 30 days. Dormant accounts are often targeted in credential-stuffing or breach-replay attacks because their inactivity can go unnoticed.
-
Trigger: The detection is triggered by a successful ROPC sign-in (where
ResultTypeis 0) for a user principal name (UPN) that hasn't appeared in the sign-in logs or non-interactive sign-in logs in the last 30 days. -
Tuning:
- Known legitimate ROPC applications are excluded from triggering alerts.
- Service or sync accounts that are intentionally dormant can be allowlisted to prevent false positives.
-
Severity and Techniques: The alert is marked as high severity and is associated with MITRE ATT&CK techniques T1078 (Valid Accounts) and T1110 (Brute Force).
-
Data Sources: The query uses data from Azure Active Directory, specifically the
AADNonInteractiveUserSignInLogsandSigninLogs. -
Query Logic:
- It first defines lists of legitimate ROPC applications and users.
- It checks for any sign-ins in the past 30 days to determine active accounts.
- It filters out sign-ins from known legitimate apps and allowlisted users.
- It identifies ROPC sign-ins from accounts not active in the last 30 days and summarizes the findings, including the number of sign-ins, IP addresses, countries, and applications involved.
-
Alert and Incident Configuration:
- Alerts are generated with a specific format indicating the dormant account and the nature of the suspicious activity.
- Incidents are created for these alerts, with configuration options for grouping and managing incidents.
Overall, this query helps security teams identify potentially compromised accounts that have been inactive, allowing them to take appropriate action to secure the environment.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 30d