KQL Query to Monitor Password Never Expire Account Changes

Setting an account password to never expire can pose a significant security risk. Regular password changes are a fundamental security control to reduce exposure to brute force or credential stuffing attacks. This KQL query helps detect when a user account’s password expiration setting is changed to “Never Expire,” allowing security teams to act promptly.

Risk

Accounts with passwords set to never expire and potentially weak passwords become prime targets for brute force attacks. Since the password doesn’t change regularly, attackers have more time to attempt unauthorized access, increasing the risk of compromise and data breaches.

Query

Microsoft Defender For Endpoint

IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires']
| extend NewValue = AdditionalInfo.['TO Account Password Never Expires']
| where NewValue == true
| project
     Timestamp,
     AccountName,
     AccountDomain,
     OriginalValue,
     NewValue,
     ReportId,
     DeviceName

Microsoft Sentinel

IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires']
| extend NewValue = AdditionalInfo.['TO Account Password Never Expires']
| where NewValue == true
| project
     TimeGenerated,
     AccountName,
     AccountDomain,
     OriginalValue,
     NewValue,
     ReportId,
     DeviceName

The queries work by filtering identity directory events where the action type indicates a change in the “Account Password Never Expires” setting. It extracts the original and new values of this setting from additional JSON fields to identify when the password expiration is set to true (never expires).