EXPLORE
← Back to Explore
elastichighTTP

Entra ID Temporary Access Pass Created for User

Identifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP is a time-limited passcode that allows passwordless authentication and bypasses existing MFA requirements, including phishing-resistant methods. An attacker with User Administrator or Authentication Administrator privileges can issue a TAP for a target account, sign in without the current password, and register new persistent authentication methods before the TAP expires.

MITRE ATT&CK

initial-accesslateral-movement

Detection Query

data_stream.dataset: "azure.auditlogs" and
(
    (
        azure.auditlogs.operation_name: "User registered security info" and
        azure.auditlogs.properties.result_reason: "User registered temporary access pass method"
    ) or (
        azure.auditlogs.operation_name: "Create Temporary Access Pass method for user"
    ) or (
        azure.auditlogs.operation_name: "Admin registered security info" and
        azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*
    )
) and
event.outcome: ("Success" or "success")

Author

Elastic, descambiado

Created

2026/05/20

Data Sources

AzureMicrosoft Entra IDMicrosoft Entra ID Audit Logslogs-azure.auditlogs-*

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: Initial AccessTactic: Lateral MovementResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/05/20"
integration = ["azure"]
maturity = "production"
updated_date = "2026/06/05"

[rule]
author = ["Elastic", "descambiado"]
description = """
Identifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP
is a time-limited passcode that allows passwordless authentication and bypasses existing MFA
requirements, including phishing-resistant methods. An attacker with User Administrator or
Authentication Administrator privileges can issue a TAP for a target account, sign in without
the current password, and register new persistent authentication methods before the TAP expires.
"""
false_positives = [
    """
    Help desk teams issuing TAPs for locked-out users or new employee onboarding workflows. Automated
    identity lifecycle systems that provision TAPs during device enrollment.
    """,
]
from = "now-9m"
index = ["logs-azure.auditlogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Entra ID Temporary Access Pass Created for User"
note = """## Triage and analysis

### Investigating Entra ID Temporary Access Pass Created for User

A Temporary Access Pass is a time-limited credential that bypasses all existing MFA factors for the
target account. In a steady-state tenant, TAP creation is rare and should be correlated against help
desk records or onboarding workflows.

#### Possible investigation steps

- Identify the administrator who created the TAP (`azure.auditlogs.properties.initiated_by`) and verify
  whether the action was authorized by a help desk ticket or change management record.
- Identify the target account and assess its privilege level -- TAPs issued for Global Administrators,
  Application Administrators, or accounts with high-value data access are highest risk.
- Check for sign-ins by the target account using the TAP credential: look for sign-ins where
  `azure.signinlogs.properties.authentication_details` contains "Temporary Access Pass" shortly after
  the TAP creation event.
- If the TAP was used to sign in, review what authentication methods were registered during or after
  the session -- an attacker will use the TAP window to add a persistent authenticator.
- Check whether the creating administrator's account shows anomalous activity in the preceding 24 hours.

### False positive analysis

- TAP creation by your identity team for locked-out users is a legitimate workflow. Confirm via help
  desk ticket correlation.
- New employee onboarding that provisions TAPs as part of passwordless enrollment is expected behavior.

### Response and remediation

- Revoke the TAP immediately if unauthorized: Entra ID > Users > Authentication methods.
- Audit all authentication methods registered by the target account after TAP creation and remove any
  that were not previously present.
- Reset the target account's password and revoke all active sessions.
- Review the creating administrator's recent actions for signs of compromise.
"""
references = [
    "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass",
    "https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/",
    "https://specterops.io/blog/2023/03/29/id-tap-that-pass/",
]
risk_score = 73
rule_id = "d0088204-675b-4175-bf07-1665da2d4810"
severity = "high"
tags = [
    "Domain: Cloud",
    "Domain: Identity",
    "Data Source: Azure",
    "Data Source: Microsoft Entra ID",
    "Data Source: Microsoft Entra ID Audit Logs",
    "Use Case: Identity and Access Audit",
    "Tactic: Initial Access",
    "Tactic: Lateral Movement",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset: "azure.auditlogs" and
(
    (
        azure.auditlogs.operation_name: "User registered security info" and
        azure.auditlogs.properties.result_reason: "User registered temporary access pass method"
    ) or (
        azure.auditlogs.operation_name: "Create Temporary Access Pass method for user"
    ) or (
        azure.auditlogs.operation_name: "Admin registered security info" and
        azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*
    )
) and
event.outcome: ("Success" or "success")
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"

[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"