Registration Of TAP By Admin After Successful Strong Authentication From User
Query
let logonDiff = 4h;
AuditLogs
| where LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user"
| extend TAPInitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend TAPInitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend TAPTargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TAPTargetId = tostring(TargetResources[0].id)
| project TAPGeneratedTime = TimeGenerated, UserPrincipalName = TAPTargetUpn, TAPInitiatingUserOrApp, TAPInitiatingIpAddress
| join kind= inner (
SigninLogs
| where ResultType == "0"
| where AuthenticationRequirement == "multiFactorAuthentication" or AuthenticationDetails contains "Windows Hello" or AuthenticationMethodsUsed contains "FIDO2"
| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress
) on UserPrincipalName
| where TAPGeneratedTime > SuccessLogonTime and TAPGeneratedTime - SuccessLogonTime <= logonDiff
| summarize TAPGeneratedTime = max(TAPGeneratedTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, TAPInitiatingUserOrApp
| extend timestamp = TAPGeneratedTime, AccountCustomEntity = TAPInitiatingUserOrAppExplanation
This query is designed to identify suspicious activity where a privileged user registers a temporary access pass (TAP) for a user after the user has successfully completed multi-factor authentication. The query looks for logs in Azure Active Directory that indicate an admin registered a TAP for a user, and then joins those logs with sign-in logs to verify that the user had successfully completed multi-factor authentication within a specific time window. The query summarizes the relevant information and maps it to the "Account" entity type. The query is scheduled to run daily.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
AuditLogsSigninLogs
Keywords
Keywords: RegistrationTAPAdminStrong AuthenticationUserPrivileged UserMultiFactorAuthenticationSecurity KeySuspicious ActivityAzureActiveDirectorySigninLogsAuditLogsAuthentication MethodsResultDescriptionInitiatedByTargetResourcesTimeGeneratedUserPrincipalNameIPAddressResultTypeAuthenticationRequirementAuthenticationDetailsAuthenticationMethodsUsedSuccessLogonTimeSuccessIPAddresslogonDifftimestampAccountCustomEntityentityTypefieldMappingsFullNameScheduled
Operators
letwhereextendiffisnotemptytostringprojectjoinonsummarizemax
Severity
MediumTactics
CredentialAccessInitialAccess
Frequency: 1d
Period: 1d