Adversaries may exploit a Temporary Access Pass to gain unauthorized access to privileged systems, bypassing standard authentication controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise and lateral movement attempts.
KQL Query
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where OperationName =~ "Admin registered security info"
| where ResultReason =~ "Admin registered temporary access pass method for user"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (admin_users)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
id: d7feb859-f03e-4e8d-8b21-617be0213b13
name: Addition of a Temporary Access Pass to a Privileged Account
description: |
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
Review any TAP creations to ensure they were used legitimately.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where OperationName =~ "Admin registered security info"
| where ResultReason =~ "Admin registered temporary access pass method for user"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (admin_users)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUserPrincipalName
- identifier: Name
columnName: TargetAccountName
- identifier: UPNSuffix
columnName: TargetAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: TargetAadUserId
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
IdentityInfo | Ensure this data connector is enabled |
Scenario: A system administrator generates a temporary access pass for a privileged account to perform a scheduled maintenance task using Ansible or Puppet.
Filter/Exclusion: Exclude events where the TAP is generated by a known admin tool or user (e.g., user = "admin" OR tool = "ansible") and the task is documented in a ticketing system like Jira or ServiceNow.
Scenario: A privileged account is used to execute a scheduled job (e.g., via cron or Windows Task Scheduler) that requires temporary access for a short duration.
Filter/Exclusion: Exclude events where the TAP is associated with a known scheduled job ID or task name and the access is part of a documented operational procedure.
Scenario: An admin manually logs into a privileged account using a temporary passcode to troubleshoot an issue, such as a failed login attempt or service outage.
Filter/Exclusion: Exclude events where the TAP is issued by a known admin user (e.g., user = "root" OR user = "admin") and the activity is logged in a change management system like ServiceNow or Remedy.
Scenario: A privileged account is used to access a secure vault (e.g., HashiCorp Vault) to retrieve a temporary passcode for a third-party service integration.
Filter/Exclusion: Exclude events where the access is initiated from a known vault integration tool (e.g., tool = "vault-cli") and the activity is logged in a configuration management system like Chef or SaltStack.
Scenario: A temporary access pass is issued for a privileged account to support a security audit or penetration test conducted by an