ROPC Authentication Against Privileged User
25 ROPC Privileged User
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
let PrivUsers =
IdentityInfo
| where TimeGenerated > ago(14d)
| where isnotempty(AssignedRoles)
| summarize arg_max(TimeGenerated, AssignedRoles) by AccountUPN
| extend Upn = tolower(AccountUPN)
| project Upn, AssignedRoles;
// Privileged ROPC is rare and high-signal; correlate both sign-in tables.
let RopcSignIns =
union isfuzzy=true
(SigninLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType),
(AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType);
RopcSignIns
| invoke ExcludeAllowlistedIPs_AADNI()
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| extend Upn = tolower(UserPrincipalName)
| join kind=inner PrivUsers on Upn
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
Roles = any(AssignedRoles),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect potentially suspicious sign-ins by privileged users in an organization's Azure Active Directory (AAD). Here's a simplified breakdown:
-
Purpose: The query identifies successful sign-ins using the Resource Owner Password Credentials (ROPC) method by users with privileged roles, such as Global Administrators or Security Administrators. These roles should typically use more secure authentication methods that include Multi-Factor Authentication (MFA).
-
Data Sources: It uses data from two main sources:
- SigninLogs: Logs of sign-in activities.
- AADNonInteractiveUserSignInLogs: Logs of non-interactive user sign-ins.
-
Detection Logic:
- The query looks for successful ROPC sign-ins (where
ResultType == 0indicates success) within the last hour. - It filters out known legitimate applications that use ROPC to avoid false positives.
- It checks if the user involved in the sign-in has been assigned any privileged roles in the last 14 days.
- The query looks for successful ROPC sign-ins (where
-
Alerting:
- If a match is found, it generates an alert indicating a possible account takeover.
- The alert includes details such as the number of sign-ins, IP addresses, countries, applications used, and roles assigned to the user.
-
Severity and Response:
- The severity of the alert is set to high, as ROPC sign-ins by privileged users can bypass MFA and are considered a significant security risk.
- The alert suggests treating the incident as a suspected account takeover until proven otherwise.
-
Additional Features:
- The query supports incident grouping based on user accounts to manage related alerts efficiently.
- It uses a list of known legitimate ROPC applications to reduce false positives.
Overall, this query helps security teams monitor and respond to potentially unauthorized access attempts by privileged users in their Azure environment.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 14d