Query Details
Identity Visualize SSPR
Query
//Visualize successful self service password resets and account unlocks over time
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where TimeGenerated > ago (180d)
| where OperationName in ("Reset password (self-service)", "Unlock user account (self-service)")
| summarize
['Password Reset']=countif(OperationName == "Reset password (self-service)" and ResultDescription == "Successfully completed reset."),
['Account Unlock']=countif(OperationName == "Unlock user account (self-service)" and ResultDescription == "Success")
by startofweek(TimeGenerated)
| render timechart
with (
ytitle="Count",
xtitle="Day",
title="Self Service Password Resets and Account Unlocks over time")Explanation
This query is used to visualize the number of successful self-service password resets and account unlocks over time. It requires the Azure Active Directory - Audit Logs data connector. The query filters the audit logs for the past 180 days and counts the occurrences of the "Reset password (self-service)" and "Unlock user account (self-service)" operations with specific result descriptions. The results are then summarized by the start of each week and displayed as a time chart, with the count on the y-axis and the day on the x-axis. The chart is titled "Self Service Password Resets and Account Unlocks over time".
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,TimeGenerated,OperationName,Resetpassword(self-service),Unlockuseraccount(self-service),ResultDescription,PasswordReset,AccountUnlock,startofweek,render,timechart,ytitle,xtitle,title
Operators
whereagoincountifandbystartofweekrender