ROPC Authentication Detected - Credential Pass-Through Bypass
06 ROPC Authentication Detected
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
let LegitRopcUsers = dynamic([]);
// ROPC surfaces in SigninLogs more often than the non-interactive table; correlate both.
// MinSuccessfulSignIns filters the trickle of legit/legacy ROPC; lower to 1 for max sensitivity.
let MinSuccessfulSignIns = 3;
let RopcSignIns =
union isfuzzy=true
(SigninLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType),
(AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType);
RopcSignIns
| invoke ExcludeAllowlistedIPs_AADNI()
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| where tolower(UserPrincipalName) !in~ (LegitRopcUsers)
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| where Count >= MinSuccessfulSignIns
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect potentially risky authentication activities using the Resource Owner Password Credential (ROPC) grant flow in Azure Active Directory. Here's a simple breakdown:
-
Purpose: The query identifies successful ROPC sign-ins, which bypass Multi-Factor Authentication (MFA) and Conditional Access policies. This can indicate either a misconfigured legacy application or an attacker using stolen credentials.
-
Data Sources: It analyzes data from two sources:
SigninLogs(for interactive sign-ins) andAADNonInteractiveUserSignInLogs(for non-interactive sign-ins). -
Filtering:
- It focuses on successful ROPC sign-ins (
ResultType == 0). - It excludes known legitimate applications and users from the analysis using predefined allowlists (
LegitRopcAppsandLegitRopcUsers). - It removes sign-ins from allowlisted IP addresses.
- It focuses on successful ROPC sign-ins (
-
Threshold: The query alerts only if there are three or more successful ROPC sign-ins from the same user within the last hour, which helps filter out occasional legitimate uses.
-
Output: The query summarizes the results by user, showing the number of sign-ins, associated IP addresses, countries, and applications involved. It orders the results by the number of sign-ins.
-
Alerting: If the conditions are met, an alert is generated with details about the user and the nature of the sign-ins, highlighting the potential risk of MFA bypass.
-
Incident Management: The query is configured to create incidents for further investigation, grouping alerts by user account to manage related events efficiently.
Overall, this query helps security teams monitor and respond to suspicious ROPC authentication activities that could indicate security threats.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h