Adversaries may be attempting to gain unauthorized access to Azure Portal resources using invalid credentials or non-existent user accounts. SOC teams should proactively hunt for this behavior to identify potential credential stuffing or reconnaissance efforts targeting Azure environments.
KQL Query
SigninLogs
| where AppDisplayName contains "Azure Portal"
// 50126 - Invalid username or password, or invalid on-premises username or password.
// 50020? - The user doesn't exist in the tenant.
| where ResultType in ( "50126" , "50020")
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress),
makeset(OS), makeset(Browser), makeset(City), AttemptCount = count()
by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName
| sort by AttemptCount
id: cf83633e-5dfd-4887-993b-c910452439da
name: Failed attempt to access Azure Portal
description: |
'Access attempts to Azure Portal from an unauthorized user. Either invalid password or the user account does not exist.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
SigninLogs
| where AppDisplayName contains "Azure Portal"
// 50126 - Invalid username or password, or invalid on-premises username or password.
// 50020? - The user doesn't exist in the tenant.
| where ResultType in ( "50126" , "50020")
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress),
makeset(OS), makeset(Browser), makeset(City), AttemptCount = count()
by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName
| sort by AttemptCount
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Shain
support:
tier: Community
categories:
domains: [ "Security - Other", "Identity" ]| Sentinel Table | Notes |
|---|---|
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job to Monitor Azure Resources
Description: A system administrator uses Azure Monitor to set up a scheduled job that checks for resource usage or health status. This job may attempt to authenticate to the Azure Portal as part of its configuration.
Filter/Exclusion: Exclude IP addresses associated with Azure services (e.g., 13.74.127.0/24) or filter by user agent strings that match Azure service agents.
Scenario: Azure AD Password Reset via Microsoft Authenticator
Description: An end-user attempts to reset their Azure AD password using the Microsoft Authenticator app. This may result in multiple failed login attempts if the user enters an incorrect password or if the app is not properly configured.
Filter/Exclusion: Exclude login attempts from the Microsoft Authenticator app (user agent or device fingerprint) or filter by the msGraph API or Azure AD Password Reset service.
Scenario: Admin Task to Reset Azure AD User Password
Description: An admin uses the Azure portal or Azure CLI to reset a user’s password. This may involve multiple failed attempts if the admin is testing the password or if the user account is locked.
Filter/Exclusion: Exclude IP addresses used by internal admin tools (e.g., 10.0.0.0/8) or filter by the Azure CLI or Azure Portal Admin user agent.
Scenario: Azure DevOps Pipeline with Azure Login
Description: A CI/CD pipeline configured with Azure DevOps may attempt to authenticate to the Azure Portal as part of deployment tasks, especially if credentials are misconfigured or if the pipeline is testing authentication flows.
Filter/Exclusion: Exclude IP addresses from Azure DevOps services (e.g., 52.168.100.0/24) or filter