ROPC Authentication Against Dormant Account
27 ROPC Dormant Account
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
let LegitRopcUsers = dynamic([]);
let Active =
union isfuzzy=true
(SigninLogs
| where TimeGenerated between (ago(14d) .. ago(1h))),
(AADNonInteractiveUserSignInLogs
| where TimeGenerated between (ago(14d) .. ago(1h)))
| where ResultType == 0
| distinct Upn = tolower(UserPrincipalName);
// ROPC sign-ins surface in SigninLogs more than the non-interactive table; correlate both.
let RopcSignIns =
union isfuzzy=true
(SigninLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType),
(AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType);
RopcSignIns
| invoke ExcludeAllowlistedIPs_AADNI()
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| extend Upn = tolower(UserPrincipalName)
| where Upn !in (LegitRopcUsers)
| where Upn !in (Active)
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect suspicious activity involving dormant accounts in an Azure Active Directory environment. Here's a simplified breakdown:
-
Purpose: The query identifies successful sign-ins using the Resource Owner Password Credentials (ROPC) method for accounts that haven't had any successful sign-ins (interactive or non-interactive) in the last 14 days. Dormant accounts are vulnerable to attacks like credential-stuffing and breach-replay, where attackers use leaked passwords to gain unauthorized access.
-
Trigger: The detection is triggered by a successful ROPC sign-in (indicated by
ResultType == 0) for an account that hasn't appeared in sign-in logs in the past 14 days. -
Tuning:
- Known legitimate ROPC applications are excluded from triggering alerts.
- Dormant service or sync accounts that are intentionally inactive can be allowlisted to prevent false positives.
-
Severity and Techniques: The severity of this detection is marked as high, and it maps to MITRE ATT&CK techniques T1078 (Valid Accounts) and T1110 (Brute Force).
-
Data Sources: The query uses data from Azure Active Directory's
SigninLogsandAADNonInteractiveUserSignInLogs. -
Query Logic:
- It first identifies accounts with successful sign-ins in the last 14 days to filter out active accounts.
- It then checks for recent ROPC sign-ins within the last hour.
- It excludes sign-ins from known legitimate applications and allowlisted users.
- It identifies dormant accounts that have suddenly had a successful ROPC sign-in.
-
Output: The query summarizes the findings by user, showing the number of sign-ins, associated IP addresses, countries, and applications involved. It orders results by the number of sign-ins, highlighting potentially compromised accounts.
-
Alerting: If a dormant account is detected with a successful ROPC sign-in, an alert is generated with details about the account and the suspicious activity. This can trigger the creation of an incident for further investigation.
Overall, this query helps security teams identify and respond to potential unauthorized access attempts on dormant accounts, which could indicate a security breach.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 14d