← Back to Explore
elastichighTTP
Entra ID Temporary Access Pass Created for User
Identifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP is a time-limited passcode that allows passwordless authentication and bypasses existing MFA requirements, including phishing-resistant methods. An attacker with User Administrator or Authentication Administrator privileges can issue a TAP for a target account, sign in without the current password, and register new persistent authentication methods before the TAP expires.
Detection Query
data_stream.dataset: "azure.auditlogs" and
(
(
azure.auditlogs.operation_name: "User registered security info" and
azure.auditlogs.properties.result_reason: "User registered temporary access pass method"
) or (
azure.auditlogs.operation_name: "Create Temporary Access Pass method for user"
) or (
azure.auditlogs.operation_name: "Admin registered security info" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*
)
) and
event.outcome: ("Success" or "success")
Author
Elastic, descambiado
Created
2026/05/20
Data Sources
AzureMicrosoft Entra IDMicrosoft Entra ID Audit Logslogs-azure.auditlogs-*
References
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: Initial AccessTactic: Lateral MovementResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/05/20"
integration = ["azure"]
maturity = "production"
updated_date = "2026/06/05"
[rule]
author = ["Elastic", "descambiado"]
description = """
Identifies the creation of a Temporary Access Pass (TAP) for an Entra ID user account. A TAP
is a time-limited passcode that allows passwordless authentication and bypasses existing MFA
requirements, including phishing-resistant methods. An attacker with User Administrator or
Authentication Administrator privileges can issue a TAP for a target account, sign in without
the current password, and register new persistent authentication methods before the TAP expires.
"""
false_positives = [
"""
Help desk teams issuing TAPs for locked-out users or new employee onboarding workflows. Automated
identity lifecycle systems that provision TAPs during device enrollment.
""",
]
from = "now-9m"
index = ["logs-azure.auditlogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Entra ID Temporary Access Pass Created for User"
note = """## Triage and analysis
### Investigating Entra ID Temporary Access Pass Created for User
A Temporary Access Pass is a time-limited credential that bypasses all existing MFA factors for the
target account. In a steady-state tenant, TAP creation is rare and should be correlated against help
desk records or onboarding workflows.
#### Possible investigation steps
- Identify the administrator who created the TAP (`azure.auditlogs.properties.initiated_by`) and verify
whether the action was authorized by a help desk ticket or change management record.
- Identify the target account and assess its privilege level -- TAPs issued for Global Administrators,
Application Administrators, or accounts with high-value data access are highest risk.
- Check for sign-ins by the target account using the TAP credential: look for sign-ins where
`azure.signinlogs.properties.authentication_details` contains "Temporary Access Pass" shortly after
the TAP creation event.
- If the TAP was used to sign in, review what authentication methods were registered during or after
the session -- an attacker will use the TAP window to add a persistent authenticator.
- Check whether the creating administrator's account shows anomalous activity in the preceding 24 hours.
### False positive analysis
- TAP creation by your identity team for locked-out users is a legitimate workflow. Confirm via help
desk ticket correlation.
- New employee onboarding that provisions TAPs as part of passwordless enrollment is expected behavior.
### Response and remediation
- Revoke the TAP immediately if unauthorized: Entra ID > Users > Authentication methods.
- Audit all authentication methods registered by the target account after TAP creation and remove any
that were not previously present.
- Reset the target account's password and revoke all active sessions.
- Review the creating administrator's recent actions for signs of compromise.
"""
references = [
"https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass",
"https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/",
"https://specterops.io/blog/2023/03/29/id-tap-that-pass/",
]
risk_score = 73
rule_id = "d0088204-675b-4175-bf07-1665da2d4810"
severity = "high"
tags = [
"Domain: Cloud",
"Domain: Identity",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Audit Logs",
"Use Case: Identity and Access Audit",
"Tactic: Initial Access",
"Tactic: Lateral Movement",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset: "azure.auditlogs" and
(
(
azure.auditlogs.operation_name: "User registered security info" and
azure.auditlogs.properties.result_reason: "User registered temporary access pass method"
) or (
azure.auditlogs.operation_name: "Create Temporary Access Pass method for user"
) or (
azure.auditlogs.operation_name: "Admin registered security info" and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: *TemporaryAccessPass*
)
) and
event.outcome: ("Success" or "success")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"