Entra ID - Self Service Password Reset - Configuration Changes
Entra ID SSPR Configuration Changes
Query
AuditLogs
| where OperationName == "Update SSPR Settings"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
|mv-expand parse_json(TargetResources)[0].modifiedProperties
| extend SSPR_Setting = tostring(TargetResources_0_modifiedProperties.displayName)
| extend newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| extend oldValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.oldValue)))
| project TimeGenerated, SSPR_Setting, oldValue, newValue, Actor, CorrelationIdAbout this query
Explanation
This KQL query is designed to help monitor changes to the Self-Service Password Reset (SSPR) settings in Microsoft Entra ID (formerly Azure Active Directory). It focuses on logging and analyzing any updates made to the SSPR policy configurations. Here's a simple breakdown of what the query does:
-
Data Source: It looks at the
AuditLogstable, which contains records of various operations performed within the system. -
Filter: The query specifically filters for operations where the
OperationNameis "Update SSPR Settings". This means it only considers logs related to changes in the SSPR settings. -
Extract Information:
- It identifies the user who initiated the change (
Actor). - It expands the details of the modified properties to get specific changes made to the SSPR settings.
- It extracts the name of the SSPR setting that was changed (
SSPR_Setting), as well as the old and new values of that setting (oldValueandnewValue).
- It identifies the user who initiated the change (
-
Output: The query projects (or displays) the following information:
TimeGenerated: When the change occurred.SSPR_Setting: The specific setting that was modified.oldValue: The previous configuration value.newValue: The updated configuration value.Actor: The user who made the change.CorrelationId: A unique identifier for the operation, useful for tracking and correlation.
The purpose of this query is to help organizations monitor and audit changes to SSPR settings, ensuring they comply with security policies and mitigate risks associated with misconfigurations.
