Skip to content
TheCloud.Events

Reset User Password

CSP: Azure
Tactics:
Persistence
Techniques:
T1098
Tags:
Azure Microsoft Entra ID

Event

Resets an Entra ID user’s password through an administrative action.

Security Context

  • Admin password resets set a new known password on the target account, giving the adversary immediate access without needing the original credentials.
  • Adversaries with privileged directory roles reset passwords on high-value accounts to take over identities, escalate access, or maintain persistence through a controlled credential.

Log Source

Entra ID Audit Logs

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.