ROPC Impossible Travel - Multiple Countries via Password Grant
28 ROPC Impossible Travel
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| where isnotempty(Location)
| summarize
Count = count(),
Countries = make_set(Location),
CountryCount = dcount(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| where CountryCount >= 2
| extend IPAddress = tostring(IPs[0])
| order by CountryCount desc, Count descExplanation
This query is designed to detect suspicious login activity using the Resource Owner Password Credentials (ROPC) flow in Azure Active Directory. Here's a simple breakdown of what it does:
-
Purpose: It identifies cases where the same user successfully logs in from two or more different countries within a one-hour period using the ROPC authentication method. This could indicate that the user's credentials have been stolen and are being used by attackers in different locations.
-
How It Works:
- The query looks at non-interactive user sign-in logs from Azure Active Directory.
- It filters out known legitimate applications that use ROPC and excludes IPs that are on an allowlist (such as corporate VPNs).
- It checks for successful logins (ResultType == 0) using ROPC within the last hour.
- It groups the data by user and counts the number of distinct countries from which the user has logged in.
- If a user has logged in from two or more different countries within an hour, it flags this as suspicious.
-
Alerting:
- If the conditions are met, an alert is generated with details about the user, the number of countries, and the applications involved.
- The alert is classified as high severity and is linked to specific MITRE ATT&CK techniques related to credential access and initial access.
-
Additional Features:
- The query includes mechanisms to suppress noise from legitimate applications and known IP addresses.
- It creates incidents for detected cases, with the option to group related alerts by user account.
Overall, this query helps security teams identify potential account compromises by detecting unusual login patterns that suggest credential theft and misuse.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h