Query Details
Entra ID SSPR Configuration Changes
Query
# Entra ID - Self Serfice Password Reset - Configuration Changes ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Reference Link | |--------------|--------------------------------|------------------------------------------------------------------| | T1098 | Account Manipulation | [T1098](https://attack.mitre.org/techniques/T1098/) | | T1556 | Modify Authentication Process | [T1556](https://attack.mitre.org/techniques/T1556/) | ### Description Microsoft has introduced enhanced logging capabilities for Self-Service Password Reset (SSPR) policy configurations. With this update, any change made to the SSPR policy configuration—including enablement, disablement, or modifications—will generate an audit log entry detailing the change. The audit log entry includes the following details: - Change Details: A description of the action taken (e.g., enabled or disabled the policy). - Previous and Current Values: Both the prior and updated configuration settings are recorded, providing comprehensive insight into the nature of the change. To assist with detecting and analyzing these changes, the below KQL (Kusto Query Language) query can be used: #### Risk Misconfigured Microsoft SSPR settings, such as weak authentication methods, inadequate registration requirements, or unrestricted reset access, can lead to unauthorized account recovery and potential security breaches. Monitoring and auditing Microsoft SSPR configurations and usage is critical to ensure compliance with organizational security policies and to mitigate risks effectively. #### Author - **Name:Alex Verboon** #### References - [General Availability - Expansion of SSPR Policy Audit Logging](https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#general-availability---expansion-of-sspr-policy-audit-logging) - [Self-service password management](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#self-service-password-management) ### Microsoft Sentinel ```kql AuditLogs | where OperationName == "Update SSPR Settings" | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) |mv-expand parse_json(TargetResources)[0].modifiedProperties | extend SSPR_Setting = tostring(TargetResources_0_modifiedProperties.displayName) | extend newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue))) | extend oldValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.oldValue))) | project TimeGenerated, SSPR_Setting, oldValue, newValue, Actor, CorrelationId ```
Explanation
This KQL query is designed to help monitor and audit changes made to the Self-Service Password Reset (SSPR) policy configurations in Microsoft Entra ID (formerly Azure AD). Here's a simple breakdown of what the query does:
-
Data Source: It looks at the
AuditLogsto find entries related to the operation "Update SSPR Settings." -
Extract Information:
- It identifies the user (Actor) who initiated the change.
- It expands the details of the modified properties within the SSPR settings.
-
Details Captured:
- SSPR_Setting: The specific setting that was changed.
- newValue: The new value of the setting after the change.
- oldValue: The previous value of the setting before the change.
- Actor: The user who made the change.
- CorrelationId: A unique identifier for the operation, useful for tracking and correlation.
-
Output: The query projects (displays) the time of the change, the specific setting changed, the old and new values, the user who made the change, and the correlation ID for further analysis.
This query is useful for security monitoring, ensuring that any changes to SSPR settings are tracked, which helps in identifying potential misconfigurations or unauthorized changes that could lead to security risks.
Details
Alex Verboon
Released: January 22, 2025
Tables
Keywords
Operators