Entra ID Temporary Access Pass Created for User

  1[metadata]
  2creation_date = "2026/05/20"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/06/05"
  6
  7[rule]
  8author = ["Elastic", "descambiado"]
  9description = """
 10Identifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP
 11is a time-limited passcode that allows passwordless authentication and bypasses existing MFA
 12requirements, including phishing-resistant methods. An attacker with User Administrator or
 13Authentication Administrator privileges can issue a TAP for a target account, sign in without
 14the current password, and register new persistent authentication methods before the TAP expires.
 15"""
 16false_positives = [
 17    """
 18    Help desk teams issuing TAPs for locked-out users or new employee onboarding workflows. Automated
 19    identity lifecycle systems that provision TAPs during device enrollment.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-azure.auditlogs-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Entra ID Temporary Access Pass Created for User"
 27note = """## Triage and analysis
 28
 29### Investigating Entra ID Temporary Access Pass Created for User
 30
 31A Temporary Access Pass is a time-limited credential that bypasses all existing MFA factors for the
 32target account. In a steady-state tenant, TAP creation is rare and should be correlated against help
 33desk records or onboarding workflows.
 34
 35#### Possible investigation steps
 36
 37- Identify the administrator who created the TAP (`azure.auditlogs.properties.initiated_by`) and verify
 38  whether the action was authorized by a help desk ticket or change management record.
 39- Identify the target account and assess its privilege level -- TAPs issued for Global Administrators,
 40  Application Administrators, or accounts with high-value data access are highest risk.
 41- Check for sign-ins by the target account using the TAP credential: look for sign-ins where
 42  `azure.signinlogs.properties.authentication_details` contains "Temporary Access Pass" shortly after
 43  the TAP creation event.
 44- If the TAP was used to sign in, review what authentication methods were registered during or after
 45  the session -- an attacker will use the TAP window to add a persistent authenticator.
 46- Check whether the creating administrator's account shows anomalous activity in the preceding 24 hours.
 47
 48### False positive analysis
 49
 50- TAP creation by your identity team for locked-out users is a legitimate workflow. Confirm via help
 51  desk ticket correlation.
 52- New employee onboarding that provisions TAPs as part of passwordless enrollment is expected behavior.
 53
 54### Response and remediation
 55
 56- Revoke the TAP immediately if unauthorized: Entra ID > Users > Authentication methods.
 57- Audit all authentication methods registered by the target account after TAP creation and remove any
 58  that were not previously present.
 59- Reset the target account's password and revoke all active sessions.
 60- Review the creating administrator's recent actions for signs of compromise.
 61"""
 62references = [
 63    "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass",
 64    "https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/",
 65    "https://specterops.io/blog/2023/03/29/id-tap-that-pass/",
 66]
 67risk_score = 73
 68rule_id = "d0088204-675b-4175-bf07-1665da2d4810"
 69severity = "high"
 70tags = [
 71    "Domain: Cloud",
 72    "Domain: Identity",
 73    "Data Source: Azure",
 74    "Data Source: Microsoft Entra ID",
 75    "Data Source: Microsoft Entra ID Audit Logs",
 76    "Use Case: Identity and Access Audit",
 77    "Tactic: Initial Access",
 78    "Tactic: Lateral Movement",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "query"
 83
 84query = '''
 85data_stream.dataset: "azure.auditlogs" and
 86(
 87    (
 88        azure.auditlogs.operation_name: "User registered security info" and
 89        azure.auditlogs.properties.result_reason: "User registered temporary access pass method"
 90    ) or (
 91        azure.auditlogs.operation_name: "Create Temporary Access Pass method for user"
 92    ) or (
 93        azure.auditlogs.operation_name: "Admin registered security info" and
 94        azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*
 95    )
 96) and
 97event.outcome: ("Success" or "success")
 98'''
 99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102
103[[rule.threat.technique]]
104id = "T1078"
105name = "Valid Accounts"
106reference = "https://attack.mitre.org/techniques/T1078/"
107
108[[rule.threat.technique.subtechnique]]
109id = "T1078.004"
110name = "Cloud Accounts"
111reference = "https://attack.mitre.org/techniques/T1078/004/"
112
113[rule.threat.tactic]
114id = "TA0001"
115name = "Initial Access"
116reference = "https://attack.mitre.org/tactics/TA0001/"
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120
121[[rule.threat.technique]]
122id = "T1550"
123name = "Use Alternate Authentication Material"
124reference = "https://attack.mitre.org/techniques/T1550/"
125
126[rule.threat.tactic]
127id = "TA0008"
128name = "Lateral Movement"
129reference = "https://attack.mitre.org/tactics/TA0008/"