Blocked Sign In By User Credential Policy With TAP Outside Of The Authentication Methods Policy
Query
// Time range between generation of TAP and login attempts
let logonDiff = 4h;
AuditLogs
| where LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user"
| extend TAPInitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend TAPInitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend TAPTargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TAPTargetId = tostring(TargetResources[0].id)
| project TAPGeneratedTime = TimeGenerated, UserPrincipalName = TAPTargetUpn, TAPInitiatingUserOrApp, TAPInitiatingIpAddress
| join kind= inner (
SigninLogs
// Error Code "130502" seems to be audited in case of "Temporary Access Pass sign in was blocked due to User Credential Policy.", no documentation available as far as I know
| where ResultType == "130502"
| where AuthenticationDetails contains "Temporary Access Pass"
| project SignInAttemptTime = TimeGenerated, UserPrincipalName, SignInAttemptIPAddress = IPAddress
) on UserPrincipalName
| where TAPGeneratedTime < SignInAttemptTime and SignInAttemptTime - TAPGeneratedTime <= logonDiff
| summarize TAPGeneratedTime = max(TAPGeneratedTime), SignInAttemptTime = max(SignInAttemptTime) by UserPrincipalName, TAPInitiatingUserOrApp, SignInAttemptIPAddress
| extend timestamp = SignInAttemptTime, AccountCustomEntity = TAPInitiatingUserOrApp, IPCustomEntity = SignInAttemptIPAddressExplanation
This query identifies when a privileged user has generated a temporary access pass (TAP) outside of the Authentication Methods policy and sign-in was blocked due to User Credential Policy. It looks for audit logs where the TAP method was registered for a user and then joins it with sign-in logs where the TAP was used. The query calculates the time difference between the generation of the TAP and the sign-in attempt and summarizes the results by user, initiating user or app, and sign-in IP address. The query is scheduled to run daily and requires data connectors for Azure Active Directory sign-in and audit logs. The severity of this issue is medium. The relevant techniques are Credential Access and Initial Access.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1d
Period: 1d