Adversaries may create Temporary Access Passes to bypass authentication controls and gain unauthorized access to systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential bypass attempts and unauthorized account access.
KQL Query
let timeframe = 1d;
AuditLogs
| where TimeGenerated >= ago(timeframe)
| where Category =~ "UserManagement"
| where OperationName in~ (
"Admin registered security info",
"Create Temporary Access Pass method for user",
"Update user"
)
| where Result =~ "success"
| mv-expand ModProp = TargetResources[0].modifiedProperties
| where tostring(ModProp.newValue) has "TemporaryAccessPass"
or tostring(ModProp.displayName) has "TemporaryAccessPass"
| extend TargetUpn = tostring(TargetResources[0].userPrincipalName)
| extend TargetId = tostring(TargetResources[0].id)
| extend ActorUpn = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(ActorUpn), ActorUpn, ActorApp)
| extend ActorIp = iff(
isnotempty(tostring(InitiatedBy.user.ipAddress)),
tostring(InitiatedBy.user.ipAddress),
tostring(InitiatedBy.app.ipAddress))
| extend AccountName = iff(TargetUpn has "@", tostring(split(TargetUpn, "@")[0]), TargetUpn)
| extend AccountUPNSuffix = iff(TargetUpn has "@", tostring(split(TargetUpn, "@")[1]), "")
| project
TimeGenerated,
TargetUpn,
AccountName,
AccountUPNSuffix,
TargetId,
Actor,
ActorIp,
OperationName,
CorrelationId
| sort by TimeGenerated desc
id: a9d39b89-25ed-4233-a825-9640ec77d83d
name: Temporary Access Pass created for user account
description: |
Identifies Temporary Access Pass creations in Entra ID. A TAP allows passwordless
authentication and bypasses existing credential requirements. Creation outside a
managed onboarding process may indicate an attacker registering a TAP for account
takeover.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- Persistence
- CredentialAccess
relevantTechniques:
- T1556.006
- T1098
query: |
let timeframe = 1d;
AuditLogs
| where TimeGenerated >= ago(timeframe)
| where Category =~ "UserManagement"
| where OperationName in~ (
"Admin registered security info",
"Create Temporary Access Pass method for user",
"Update user"
)
| where Result =~ "success"
| mv-expand ModProp = TargetResources[0].modifiedProperties
| where tostring(ModProp.newValue) has "TemporaryAccessPass"
or tostring(ModProp.displayName) has "TemporaryAccessPass"
| extend TargetUpn = tostring(TargetResources[0].userPrincipalName)
| extend TargetId = tostring(TargetResources[0].id)
| extend ActorUpn = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(ActorUpn), ActorUpn, ActorApp)
| extend ActorIp = iff(
isnotempty(tostring(InitiatedBy.user.ipAddress)),
tostring(InitiatedBy.user.ipAddress),
tostring(InitiatedBy.app.ipAddress))
| extend AccountName = iff(TargetUpn has "@", tostring(split(TargetUpn, "@")[0]), TargetUpn)
| extend AccountUPNSuffix = iff(TargetUpn has "@", tostring(split(TargetUpn, "@")[1]), "")
| project
TimeGenerated,
TargetUpn,
AccountName,
AccountUPNSuffix,
TargetId,
Actor,
ActorIp,
OperationName,
CorrelationId
| sort by TimeGenerated desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUpn
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ActorIp
version: 1.0.0
metadata:
source:
kind: Community
author:
name: descambiado
support:
tier: Community
categories:
domains: [ "Security - Threat Protection", "Identity" ]
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job for Password Reset Automation
Description: A scheduled job runs nightly to reset passwords for users who have expired credentials, and in some cases, temporarily creates a TAP as part of the reset process.
Filter/Exclusion: userPrincipalName contains "reset-job" OR jobName contains "PasswordResetScheduler"
Scenario: Admin Task for Temporary Access for Support Staff
Description: An admin manually creates a TAP for a support technician to access a user’s account during troubleshooting, which is part of a standard support process.
Filter/Exclusion: userPrincipalName contains "support-team" OR createdBy contains "admin-support"
Scenario: Automated Onboarding for New Contractors
Description: A third-party onboarding tool creates TAPs for new contractors during their initial setup, which is part of a documented onboarding process.
Filter/Exclusion: userPrincipalName contains "contractor-" OR toolName contains "OnboardingTool_v2"
Scenario: System Maintenance Task for Service Accounts
Description: A system maintenance script creates a TAP for a service account to perform a critical update or patch, which is part of a documented maintenance routine.
Filter/Exclusion: userPrincipalName contains "svc-maintenance" OR taskName contains "PatchServiceAccount"
Scenario: User Self-Service Password Reset
Description: A user initiates a password reset via the Microsoft Entra ID portal, which temporarily creates a TAP as part of the reset flow.
Filter/Exclusion: userPrincipalName contains "user-self-service" OR actionType contains "PasswordReset"