Skip to content

AZT501.1 - Account Manipulation: User Account Manipulation#

An adverary may manipulate a user account to maintain access in an Azure tenant

Resource

Azure Active Directory

Actions

  • microsoft.directory/users/password/update
  • microsoft.directory/users/enable
  • microsoft.directory/users/restore

Examples

Detections

Logs#

Data Source Operation Name Action Log Location
Azure Active Directory Reset password microsoft.directory/users/password/update AzureAD Audit Logs
Azure Active Directory Enable account microsoft.directory/users/enable AzureAD Audit Logs
Azure Active Directory Update user microsoft.directory/users/password/update AzureAD Audit Logs

Queries#

AuditLogs 
|where OperationName =="Reset password" or OperationName =="Enable account" or OperationName =="Update user"