Bulk Password Profile Updates Across Multiple Users
AR 006 Bulk Password Profile Updates
Query
// --- Configurable ---
let UpdateThreshold = 5;
// --------------------
AuditLogs
| where TimeGenerated > ago(2h)
| where ActivityDisplayName in (
"Update PasswordProfile",
"Update StsRefreshTokenValidFrom Timestamp",
"Reset user password",
"Change user password")
| where Result == "success"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetUser = tostring(TargetResources[0].displayName)
| extend TargetUserUPN = tostring(TargetResources[0].userPrincipalName)
| summarize
UpdateCount = count(),
DistinctTargets = dcount(TargetUserUPN),
TargetUsers = make_set(TargetUserUPN, 20),
Operations = make_set(ActivityDisplayName),
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated),
CorrelationIds = make_set(CorrelationId, 5)
by Actor, InitiatedByUPN, bin(TimeGenerated, 1h)
| where UpdateCount >= UpdateThreshold and DistinctTargets >= 3
| extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)Explanation
This query is designed to detect suspicious activity related to bulk password or token updates in Azure Active Directory. Here's a simple summary:
-
Purpose: The query identifies when a single user (or actor) successfully updates the password profile or token information for five or more different user accounts within a one-hour period. This behavior is unusual and could indicate malicious activity, such as an attacker trying to reset passwords or revoke tokens to disrupt security responses.
-
Context: Such bulk updates might occur during exploitation of Azure AD Connect sync or when an attacker is manipulating multiple accounts. It's considered suspicious unless performed by a known, privileged service account.
-
Severity: The alert is marked as high severity due to the potential security implications.
-
Data Source: It uses audit logs from Azure Active Directory to track these activities.
-
Frequency: The query runs every hour and looks back over the past two hours to identify any such activities.
-
Alert Details: If the conditions are met, an alert is generated, detailing the number of operations, the number of affected accounts, and the actor responsible.
-
Customization: The alert message and details are customizable to provide clear information about the incident.
Overall, this query helps in identifying potential security threats related to unauthorized bulk password or token updates in an organization's Azure environment.
Details

David Alonso
Released: April 6, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 2h