Entra ID Temporary Access Pass Created for User
editEntra ID Temporary Access Pass Created for User
editIdentifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP is a time-limited passcode that allows passwordless authentication and bypasses existing MFA requirements, including phishing-resistant methods. An attacker with User Administrator or Authentication Administrator privileges can issue a TAP for a target account, sign in without the current password, and register new persistent authentication methods before the TAP expires.
Rule type: query
Rule indices:
- logs-azure.auditlogs-*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: Identity
- Data Source: Azure
- Data Source: Microsoft Entra ID
- Data Source: Microsoft Entra ID Audit Logs
- Use Case: Identity and Access Audit
- Tactic: Initial Access
- Tactic: Lateral Movement
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
- descambiado
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Entra ID Temporary Access Pass Created for User
A Temporary Access Pass is a time-limited credential that bypasses all existing MFA factors for the target account. In a steady-state tenant, TAP creation is rare and should be correlated against help desk records or onboarding workflows.
Possible investigation steps
-
Identify the administrator who created the TAP (
azure.auditlogs.properties.initiated_by) and verify whether the action was authorized by a help desk ticket or change management record. - Identify the target account and assess its privilege level — TAPs issued for Global Administrators, Application Administrators, or accounts with high-value data access are highest risk.
-
Check for sign-ins by the target account using the TAP credential: look for sign-ins where
azure.signinlogs.properties.authentication_detailscontains "Temporary Access Pass" shortly after the TAP creation event. - If the TAP was used to sign in, review what authentication methods were registered during or after the session — an attacker will use the TAP window to add a persistent authenticator.
- Check whether the creating administrator’s account shows anomalous activity in the preceding 24 hours.
False positive analysis
- TAP creation by your identity team for locked-out users is a legitimate workflow. Confirm via help desk ticket correlation.
- New employee onboarding that provisions TAPs as part of passwordless enrollment is expected behavior.
Response and remediation
- Revoke the TAP immediately if unauthorized: Entra ID > Users > Authentication methods.
- Audit all authentication methods registered by the target account after TAP creation and remove any that were not previously present.
- Reset the target account’s password and revoke all active sessions.
- Review the creating administrator’s recent actions for signs of compromise.
Rule query
editdata_stream.dataset: "azure.auditlogs" and
(
(
azure.auditlogs.operation_name: "User registered security info" and
azure.auditlogs.properties.result_reason: "User registered temporary access pass method"
) or (
azure.auditlogs.operation_name: "Create Temporary Access Pass method for user"
) or (
azure.auditlogs.operation_name: "Admin registered security info" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*
)
) and
event.outcome: ("Success" or "success")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/