Active Directory - Account Password Not Required changed
AD Account Password Not Required Changed
Query
IdentityDirectoryEvents
| where ActionType == @"Account Password Not Required changed"
| extend NewValue = parse_json(AdditionalFields)["NewValue"]
| extend OldValue = parse_json(AdditionalFields)["OldValue"]
| project Timestamp, TargetAccountUpn, TargetAccountDisplayName, AccountName, AccountUpn, NewValue, OldValueAbout this query
Active Directory - Account Password Not Required changed
Query Information
Description
Use the below query to see Account Password Not Required changed events
References
Microsoft Defender XDR
Explanation
This KQL query is designed to identify and display events where the "Account Password Not Required" setting has been changed in Active Directory. Here's a simple breakdown of what the query does:
-
Data Source: It looks at the
IdentityDirectoryEventstable, which contains events related to identity and directory activities. -
Filter: It specifically filters for events where the
ActionTypeis "Account Password Not Required changed". This means it only considers events where there has been a change to the setting that determines whether a password is required for an account. -
Extracting Information:
- It extracts the new and old values of the setting from the
AdditionalFieldscolumn usingparse_json. This helps in understanding what the setting was changed from and to.
- It extracts the new and old values of the setting from the
-
Output: The query then selects and displays specific columns:
Timestamp: When the change occurred.TargetAccountUpn: The User Principal Name of the account whose setting was changed.TargetAccountDisplayName: The display name of the account.AccountNameandAccountUpn: Additional identifiers for the account.NewValueandOldValue: The new and old values of the "Account Password Not Required" setting.
In summary, this query helps administrators track changes to the password requirement setting for accounts in Active Directory, providing details on when the change happened and which account was affected.
Details

Alex Verboon
Released: April 16, 2026
Tables
Keywords
Operators