Comprehensive Guide to Investigating and Mitigating an Azure User Account Compromise - ToddMaxey/Technical-Documentation GitHub Wiki
A compromised Azure user account presents a severe security risk, as attackers may persist via refresh tokens, OAuth applications, inbox forwarding rules, or privileged role assignments. Simply resetting a password is insufficient unless proper revocation, investigation, and remediation steps are taken.
This guide provides a methodology to detect, analyze, and eliminate attacker persistence while ensuring the affected user(s) can securely regain control. It is structured to cover:
-
Hunting compromised user accounts using Azure logs
-
Single-user account compromise response
-
Multi-user compromise response (organization-wide remediation)
-
Azure-only vs. Hybrid Azure AD + On-Premises AD considerations
-
Handling environments with and without Self-Service Password Reset (SSPR)
-
A fully automated PowerShell script to execute the remediation process
Before remediation, it's critical to determine the full scope of compromise by leveraging Azure Sign-in Logs, Azure Audit Logs, and the Unified Audit Log (UAL) via the Microsoft Defender Portal.
Use the following markers to identify malicious activity:
✅ Date/Time of Suspicious Activity – Identify when the first unauthorized login occurred.
✅ IP Address & ASN (Autonomous System Number) – Detect whether logins originated from unusual ISPs or locations.
✅ Geo Location – Identify foreign or impossible travel logins.
✅ Operating System & Device Information – Check if the attacker used a different OS/device than the legitimate user.
✅ SessionID & Token Persistence – Identify and revoke suspicious sessions.
✅ Unusual App & OAuth Activity – Check for unauthorized consent to third-party applications.
Azure AD Sign-In Logs contain rich forensic data that can help pinpoint a compromise.
-
Navigate to the Microsoft Defender Portal
-
Go to Audit > Search
-
Use the following query filters:
-
"User: [email protected]" -
"Operation: UserLoggedIn" -
"IP Address: <suspicious_ip>" -
"Device Information: Not matching known devices"
-
-
Export results as CSV and analyze in Excel using filters.
-
Filter login timestamps in Excel
-
Identify logins from two distant locations within an impossible timeframe
-
Identify logins from known malicious ASN ranges
-
Flag logins from AWS, Azure, DigitalOcean, or unknown ISP providers
Azure AD Audit Logs capture changes to user accounts, roles, and security policies.
-
Search for
"Operation: Add member to role" -
Identify Global Admin or Security Admin additions
-
Search for
"Operation: Consent to application" -
Look for unknown applications or unusual API scopes
The Unified Audit Log (UAL) aggregates data from Azure AD, Exchange, SharePoint, Teams, and OneDrive.
-
Query
"Operation: New-InboxRule" -
Detect email forwarding to external addresses
-
Query
"Operation: ResetUserPassword" -
Identify unauthorized password resets
-
Query
"Operation: MailboxLogin" -
Flag logins from unknown locations/IPs
The first priority is to fully revoke any active attacker sessions and tokens before proceeding with further remediation.
Revoke-MgUserSignInSession -UserId "[email protected]"
Hybrid AD Note:
If using on-prem AD with Pass-Through Authentication (PTA) or Federation, revoke ADFS tokens and terminate active VPN sessions.
If SSPR (Self-Service Password Reset) is enabled, the attacker may attempt to reclaim access.
Update-MgUser -UserId "[email protected]" -PasswordProfile @{
Password = "NewSecureP@ssw0rd"
ForceChangePasswordNextSignIn = $true
}
Get-MgUserAuthenticationMethod -UserId "[email protected]" | ForEach-Object {
Remove-MgUserAuthenticationMethod -UserId "[email protected]" -AuthenticationMethodId $_.Id
}
Remove-MgUserOauth2PermissionGrant -UserId "[email protected]" -PermissionGrantId "<GrantID>"
Remove-MgDirectoryRoleMember -DirectoryRoleId "<RoleID>" -DirectoryObjectId "<UserObjectId>"
Set-Mailbox -Identity "[email protected]" -ForwardingSmtpAddress $null -ForwardingAddress $null
Remove-MailboxPermission -Identity "[email protected]" -User "[email protected]" -AccessRights FullAccess
✅ Enable Azure AD Conditional Access Policies
✅ Enforce MFA & block legacy authentication
✅ Monitor with SIEM (e.g., Azure Sentinel)
✅ Enable Privileged Identity Management (PIM)
How-To...
✅ Investigate compromised users in Defender Portal using UAL logs
✅ Filter by IP, ASN, OS, SessionID, and operation type
✅ Use Excel to analyze exported logs
✅ Revoke sessions, reset passwords, and remove attacker persistence
✅ Enforce MFA, Conditional Access, and SIEM monitoring