Reset User Password
Azure
Reset User Password
Event
Resets an Entra ID user’s password through an administrative action.
Security Context
- Admin password resets set a new known password on the target account, giving the adversary immediate access without needing the original credentials.
- Adversaries with privileged directory roles reset passwords on high-value accounts to take over identities, escalate access, or maintain persistence through a controlled credential.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised tenant-root admin draco@fantasticlogs.cloud resets the password of legitimate IAM admin hermione@fantasticlogs.cloud. The reset effectively boots Hermione out of her own account (her old password no longer works) and gives Draco a controlled credential for sustained takeover. Maps to T1098.
{ "id": "Directory_90000000-0000-4000-8000-000100011101_5A7C2_44091237", "category": "UserManagement", "correlationId": "90000000-0000-4000-8000-000100011101", "result": "success", "resultReason": "", "activityDisplayName": "Reset user password", "activityDateTime": "2026-04-15T18:09:12.7218042Z", "loggedByService": "Core Directory", "operationType": "Update", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "30000000-0000-4000-8000-000000000001", "displayName": "Hermione Granger", "type": "User", "userPrincipalName": "hermione@fantasticlogs.cloud", "groupType": null, "modifiedProperties": [] } ], "additionalDetails": [ { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...