Query Details
Audit User Tries To Change Password To A Non Complying Password
Query
AuditLogs | where OperationName == "Change password (self-service)" | where ResultDescription == "PasswordDoesnotComplyFuzzyPolicy" | extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | summarize count() by User | where count_ > 1 //use to tune threshold
Explanation
This query is analyzing audit logs to identify users who have attempted to change their passwords through self-service but failed because their new passwords did not comply with the fuzzy policy. Here's a breakdown of what the query does:
-
Filter for Specific Operation: It looks for log entries where the operation name is "Change password (self-service)".
-
Filter for Specific Result: It further filters these entries to only include those where the result description is "PasswordDoesnotComplyFuzzyPolicy", indicating the password change attempt failed due to non-compliance with the policy.
-
Extract User Information: It extracts the user's principal name (essentially their username or email) from the log entry and assigns it to a new column called "User".
-
Count Attempts by User: It counts how many times each user has encountered this specific failure.
-
Filter for Multiple Failures: Finally, it filters the results to only include users who have failed more than once, allowing you to focus on users who might need additional assistance or guidance.
The comment "//use to tune threshold" suggests that the threshold for the number of failures (currently set to more than one) can be adjusted based on specific needs or criteria.
Details
Jay Kerai
Released: June 10, 2025
Tables
Keywords
Operators