Entra ID ROPC Authentication with Unknown Client ID

Last updated 4 days ago on 2026-07-15
Created 4 days ago on 2026-07-15

About

Identifies potential OAuth client ID spoofing in Microsoft Entra ID sign-in logs. Adversaries submit fabricated or non-existent application identifiers (client IDs) in Resource Owner Password Credentials (ROPC) authentication requests to the token endpoint. Because Entra ID validates the submitted credential before rejecting the request on application resolution, the resulting error code acts as a credential- and account-validity oracle while never producing a successful sign-in. By fragmenting attempts across many fictional application identifiers, adversaries evade per-application detections, rate limiting, and application-scoped Conditional Access. This rule detects a ROPC authentication that fails with error code 700016 (application not found in the directory) where no application display name resolves, which is characteristic of a spoofed client ID used for stealthy user enumeration and password spraying.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Entra IDData Source: Entra ID Sign-in LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Credential AccessTactic: DiscoveryLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

False Positive Examples
A legitimate application that has been deleted from the tenant while a client continues to authenticate against its former client ID via ROPC can generate error code 700016. A misconfigured legacy client submitting an incorrect client ID is also possible. In both cases the client ID is typically stable and low-volume, unlike the many distinct or randomized identifiers seen in spoofing. Verify the application identifier, the source infrastructure, and whether the same principal is targeted by many different unresolved client IDs.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.signinlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.authentication_protocol: "ropc" and azure.signinlogs.properties.status.error_code: 700016 and not azure.signinlogs.properties.app_display_name: *

Install detection rules in Elastic Security

Detect Entra ID ROPC Authentication with Unknown Client ID in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).