Skip to content

Reset User Password

Azure

Reset User Password

service: Azure - Microsoft Entra ID
tactics:
techniques:

Event

Resets an Entra ID user’s password through an administrative action.

Security Context

  • Admin password resets set a new known password on the target account, giving the adversary immediate access without needing the original credentials.
  • Adversaries with privileged directory roles reset passwords on high-value accounts to take over identities, escalate access, or maintain persistence through a controlled credential.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. Compromised tenant-root admin draco@fantasticlogs.cloud resets the password of legitimate IAM admin hermione@fantasticlogs.cloud. The reset effectively boots Hermione out of her own account (her old password no longer works) and gives Draco a controlled credential for sustained takeover. Maps to T1098.

{
"id": "Directory_90000000-0000-4000-8000-000100011101_5A7C2_44091237",
"category": "UserManagement",
"correlationId": "90000000-0000-4000-8000-000100011101",
"result": "success",
"resultReason": "",
"activityDisplayName": "Reset user password",
"activityDateTime": "2026-04-15T18:09:12.7218042Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "30000000-0000-4000-8000-000000000001",
"displayName": "Hermione Granger",
"type": "User",
"userPrincipalName": "hermione@fantasticlogs.cloud",
"groupType": null,
"modifiedProperties": []
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)"
}
]
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...