Identities Set To Password Never Expires With Blast Radius Value Or Tagged As Sensitive
Query
let IdBlastRadiusLow =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "Low"
| extend BlastRadius = "🟨 Low"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let IdBlastRadiusMedium =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "Medium"
| extend BlastRadius = "🟧 Medium"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let IdBlastRadiusHigh =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "High"
| extend BlastRadius = "🟥 High"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let SensitiveAccount =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where Tags != "[]"
| extend Tags = "⚠️ Sensitive Account"
| project AccountDisplayName, AccountName, EmailAddress, Tags;
union isfuzzy=true IdBlastRadiusLow,IdBlastRadiusMedium, IdBlastRadiusHigh, SensitiveAccount
| summarize by AccountDisplayName, AccountName, EmailAddress, BlastRadius, Tags
| sort by AccountDisplayName ascAbout this query
Identities set to “Password Never Expires” with Blast Radius value or tagged as Sensitive
Description
The following query will take advantage of the recently introduced IdentityInfo table and will identify enabled accounts that are set with no password expiration that either have a Blast Radius value or are tagged as Sensitive. Results will return accounts that should be further investigated whether the pose a risk or not.
Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 16/05/2025 | Initial publish |
Explanation
This query is designed to identify user accounts that are enabled and have the "Password Never Expires" setting. It focuses on accounts that either have a specified "Blast Radius" value (indicating the potential impact of a security breach) or are tagged as "Sensitive." The query categorizes these accounts based on their blast radius level (Low, Medium, or High) and identifies sensitive accounts separately. The results include the account's display name, account name, email address, and either the blast radius or sensitivity tag. The final output is sorted by the account display name for easier review. This helps in identifying accounts that may pose a security risk and require further investigation.
Details

Michalis Michalos
Released: May 17, 2025
Tables
Keywords
Operators