SSPR Password Reset Initiatedvia MS Graph
Query
// Detects when a self service password reset has been initiated via MS Graph and is successful
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName == "POST UserAuthMethod.ResetPasswordOnPasswordMethods"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, OperationName, Actor, CorrelationId
| join kind=inner
(AuditLogs
| where OperationName == "Reset password (by admin)"
| extend Target = tostring(TargetResources[0].userPrincipalName)
| where Result == "success"
)
on CorrelationId
| project GraphPostTime=TimeGenerated, PasswordResetTime=TimeGenerated1, Actor, TargetExplanation
This query detects when a self-service password reset is initiated through MS Graph and is successful. It uses the Azure Active Directory - Audit Logs data connector. The query retrieves audit logs where the operation name is "POST UserAuthMethod.ResetPasswordOnPasswordMethods". It then extends the "Actor" field to get the user who initiated the reset. The query also retrieves audit logs where the operation name is "Reset password (by admin)" and the result is "success". It joins these two sets of logs based on the correlation ID. The final result includes the time the password reset was initiated, the time it was reset, the actor (user who initiated the reset), and the target user.
Details

Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators