Bulk Password Profile Updates Across Multiple Users
AR 006 Bulk Password Profile Updates
Query
// --- Configurable ---
let UpdateThreshold = 5;
// --------------------
AuditLogs
| where TimeGenerated > ago(2h)
| where ActivityDisplayName in (
"Update PasswordProfile",
"Update StsRefreshTokenValidFrom Timestamp",
"Reset user password",
"Change user password")
| where Result == "success"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetUser = tostring(TargetResources[0].displayName)
| extend TargetUserUPN = tostring(TargetResources[0].userPrincipalName)
| summarize
UpdateCount = count(),
DistinctTargets = dcount(TargetUserUPN),
TargetUsers = make_set(TargetUserUPN, 20),
Operations = make_set(ActivityDisplayName),
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated),
CorrelationIds = make_set(CorrelationId, 5)
by Actor, InitiatedByUPN, bin(TimeGenerated, 1h)
| where UpdateCount >= UpdateThreshold and DistinctTargets >= 3
| extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)Explanation
This query is designed to detect suspicious activity related to bulk password or token updates in an Azure Active Directory environment. Here's a simple breakdown of what it does:
-
Purpose: The query identifies instances where a single user or application (referred to as "actor") successfully updates the password profile or token validity timestamp for five or more different user accounts within a one-hour period. This behavior can indicate potential security threats, such as exploitation of Azure AD Connect or unauthorized password resets by an attacker.
-
Severity: The alert generated by this query is considered high severity because such actions can be indicative of malicious activity aimed at maintaining persistence or impacting the system.
-
Data Source: It uses audit logs from Azure Active Directory to track these events.
-
Detection Logic:
- It looks for specific activities: "Update PasswordProfile", "Update StsRefreshTokenValidFrom Timestamp", "Reset user password", and "Change user password".
- It filters for successful operations only.
- It groups the data by the actor and counts the number of distinct user accounts affected.
- If an actor updates five or more different accounts within an hour, it triggers an alert.
-
Alert Details: The alert provides information about the number of operations, the distinct accounts affected, and the actor responsible. It also includes the time duration over which these updates occurred.
-
Use Case: This query is useful for security teams to identify and respond to potential unauthorized access or manipulation of user accounts in a timely manner.
-
Additional Information: The query references tools and techniques related to account manipulation, such as AADInternals and MITRE ATT&CK techniques T1098 (Account Manipulation), T1531, and T1070. Overall, this query helps in monitoring and detecting unusual patterns of account updates that could signify a security breach or misuse of administrative privileges.
Details

David Alonso
Released: April 6, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 2h