Entra Password Resets
Query
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName has_any("Reset password (self-service)","Change user password")
| where Result == "success"
| extend Target = tostring(TargetResources[0].userPrincipalName)
| extend TargetId = TargetResources[0].id
| extend DisplayName = tostring(TargetResources[0].userPrincipalName)
| extend initiator =iff(isempty(parse_json(tostring(InitiatedBy.user)).userPrincipalName),parse_json(tostring(InitiatedBy.app)).displayName,(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| extend IPAddress= parse_json(tostring(InitiatedBy.user)).ipAddressExplanation
This KQL (Kusto Query Language) query is designed to analyze audit logs and identify successful password reset or change operations that occurred within the last 90 days. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by accessing the
AuditLogstable. -
Time Filter: It filters the logs to include only those generated in the last 90 days.
-
Operation Filter: It further narrows down the logs to include only those where the operation was either a "Reset password (self-service)" or "Change user password".
-
Result Filter: It ensures that only successful operations are considered by checking if the
Resultis "success". -
Extract Target Information:
- It extracts the user principal name (email or username) of the target user whose password was reset or changed and stores it in a new column called
Target. - It also extracts the ID of the target user and stores it in
TargetId. - It duplicates the user principal name into another column called
DisplayName.
- It extracts the user principal name (email or username) of the target user whose password was reset or changed and stores it in a new column called
-
Extract Initiator Information:
- It determines who initiated the operation. If the operation was initiated by a user, it extracts the user's principal name. If initiated by an application, it extracts the application's display name. This information is stored in a column called
initiator.
- It determines who initiated the operation. If the operation was initiated by a user, it extracts the user's principal name. If initiated by an application, it extracts the application's display name. This information is stored in a column called
-
Extract IP Address: It extracts the IP address from which the operation was initiated and stores it in a column called
IPAddress.
In summary, this query retrieves and organizes information about successful password reset or change operations from the audit logs, including details about the target user, the initiator, and the IP address involved.
Details

Jay Kerai
Released: December 2, 2025
Tables
Keywords
Operators