Query Details
AD Account Password Not Required Changed
Query
# Active Directory - Account Password Not Required changed ## Query Information ### Description Use the below query to see ***Account Password Not Required changed*** events #### References ### Microsoft Defender XDR ```kql IdentityDirectoryEvents | where ActionType == @"Account Password Not Required changed" | extend NewValue = parse_json(AdditionalFields)["NewValue"] | extend OldValue = parse_json(AdditionalFields)["OldValue"] | project Timestamp, TargetAccountUpn, TargetAccountDisplayName, AccountName, AccountUpn, NewValue, OldValue ```
Explanation
This query is designed to identify events in Active Directory where the "Account Password Not Required" setting has been changed for user accounts. Here's a simple breakdown of what the query does:
-
Data Source: It looks at events from
IdentityDirectoryEvents, which is a log of directory-related activities. -
Filter: It specifically filters for events where the action type is "Account Password Not Required changed". This means it only considers changes to the setting that determines whether a password is required for an account.
-
Extract Values: It extracts the new and old values of this setting from a field called
AdditionalFields. This is done usingparse_jsonto interpret the data correctly. -
Select Information: The query then selects and displays specific pieces of information:
Timestamp: When the change occurred.TargetAccountUpn: The User Principal Name (UPN) of the account whose setting was changed.TargetAccountDisplayName: The display name of the account.AccountNameandAccountUpn: Additional identifiers for the account.NewValueandOldValue: The new and old states of the "Account Password Not Required" setting.
In summary, this query helps administrators track changes to a security-related setting in Active Directory, providing details about when and how the setting was altered for specific user accounts.
Details
Alex Verboon
Released: May 19, 2025
Tables
Keywords
Operators