Blocked attempts of self-service password reset (SSPR) by user
Blocking SSPR Attempts
Query
// Get events of SSPR blocked activities within the number of days (timeframe)
let timeRange = 1d;
AuditLogs
| where TimeGenerated >= ago(timeRange)
| where LoggedByService == "Self-service Password Management"
| where OperationName has "blocked" or ResultReason has "blocked"
| mv-expand TargetResources
| mv-expand InitiatedBy
| extend TargetUserPrincipalName = tostring(TargetResources.userPrincipalName)
| extend ActorUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorIPAddress = tostring(InitiatedBy.user.ipAddress)
| project TimeGenerated, ActorUserPrincipalName, TargetUserPrincipalName, ActorIPAddress, OperationName, ResultReasonExplanation
This query is designed to detect and alert on attempts to reset passwords using Azure Active Directory's Self-Service Password Reset (SSPR) feature that are blocked or throttled. Here's a simple breakdown of what it does:
-
Purpose: It identifies when users' attempts to reset their passwords are blocked by Azure AD SSPR. This could indicate potential malicious activity, such as someone trying to guess security questions or use stolen information.
-
Severity: The alert is classified as "Medium" severity, suggesting a moderate level of concern.
-
Data Source: It uses data from Azure Active Directory's AuditLogs.
-
Frequency: The query runs once a day and looks back over the past day for relevant events.
-
Detection Logic:
- It filters logs to find events related to "Self-service Password Management" where operations or results are marked as "blocked."
- It extracts details about the user attempting the reset, the target user, and the IP address from which the attempt was made.
- It projects these details for further analysis.
-
Tactics and Techniques: The query is associated with tactics like "Initial Access" and "Credential Access," and techniques such as "T1078" (Valid Accounts) and "T1110" (Brute Force).
-
Incident Creation: If any blocked attempts are found, an incident is created. The system groups related events into a single alert to avoid alert fatigue.
-
Version and Configuration: The query is version 1.1.0 and is scheduled to run automatically.
In summary, this query helps in identifying and alerting on potentially malicious attempts to reset passwords using Azure AD's self-service feature, which could be part of a broader attack strategy.
Details

Thomas Naunheim
Released: January 31, 2025
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1d
Period: 1d