« Entra ID Sign-in TeamFiltration User-Agent Detected Entra ID Unusual Cloud Device Registration »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

Entra ID Temporary Access Pass Created for User

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Entra ID Temporary Access Pass Created for User

edit

Identifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP is a time-limited passcode that allows passwordless authentication and bypasses existing MFA requirements, including phishing-resistant methods. An attacker with User Administrator or Authentication Administrator privileges can issue a TAP for a target account, sign in without the current password, and register new persistent authentication methods before the TAP expires.

Rule type: query

Rule indices:

  • logs-azure.auditlogs-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Identity
  • Data Source: Azure
  • Data Source: Microsoft Entra ID
  • Data Source: Microsoft Entra ID Audit Logs
  • Use Case: Identity and Access Audit
  • Tactic: Initial Access
  • Tactic: Lateral Movement
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic
  • descambiado

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Entra ID Temporary Access Pass Created for User

A Temporary Access Pass is a time-limited credential that bypasses all existing MFA factors for the target account. In a steady-state tenant, TAP creation is rare and should be correlated against help desk records or onboarding workflows.

Possible investigation steps

  • Identify the administrator who created the TAP (azure.auditlogs.properties.initiated_by) and verify whether the action was authorized by a help desk ticket or change management record.
  • Identify the target account and assess its privilege level — TAPs issued for Global Administrators, Application Administrators, or accounts with high-value data access are highest risk.
  • Check for sign-ins by the target account using the TAP credential: look for sign-ins where azure.signinlogs.properties.authentication_details contains "Temporary Access Pass" shortly after the TAP creation event.
  • If the TAP was used to sign in, review what authentication methods were registered during or after the session — an attacker will use the TAP window to add a persistent authenticator.
  • Check whether the creating administrator’s account shows anomalous activity in the preceding 24 hours.

False positive analysis

  • TAP creation by your identity team for locked-out users is a legitimate workflow. Confirm via help desk ticket correlation.
  • New employee onboarding that provisions TAPs as part of passwordless enrollment is expected behavior.

Response and remediation

  • Revoke the TAP immediately if unauthorized: Entra ID > Users > Authentication methods.
  • Audit all authentication methods registered by the target account after TAP creation and remove any that were not previously present.
  • Reset the target account’s password and revoke all active sessions.
  • Review the creating administrator’s recent actions for signs of compromise.

Rule query

edit
data_stream.dataset: "azure.auditlogs" and
(
    (
        azure.auditlogs.operation_name: "User registered security info" and
        azure.auditlogs.properties.result_reason: "User registered temporary access pass method"
    ) or (
        azure.auditlogs.operation_name: "Create Temporary Access Pass method for user"
    ) or (
        azure.auditlogs.operation_name: "Admin registered security info" and
        azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*
    )
) and
event.outcome: ("Success" or "success")

Framework: MITRE ATT&CKTM

« Entra ID Sign-in TeamFiltration User-Agent Detected Entra ID Unusual Cloud Device Registration »