AZT501.1 - Account Manipulation: User Account Manipulation

An adverary may manipulate a user account to maintain access in an Azure tenant

Resource

Azure Active Directory

Actions

• microsoft.directory/users/password/update
• microsoft.directory/users/enable
• microsoft.directory/users/restore

Examples

Az PowerShellAzure CLIMicrosoft Graph APIAzure Portal

Update-AzADUser

az ad user update

PATCH https://graph.microsoft.com/v1.0/users/{id}

Detections

Logs

Data Source	Operation Name	Action	Log Location
Azure Active Directory	Reset password	microsoft.directory/users/password/update	AzureAD Audit Logs
Azure Active Directory	Enable account	microsoft.directory/users/enable	AzureAD Audit Logs
Azure Active Directory	Update user	microsoft.directory/users/password/update	AzureAD Audit Logs

Queries

Log Analytics

AuditLogs 
|where OperationName =="Reset password" or OperationName =="Enable account" or OperationName =="Update user"

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal