title: Applications That Are Using ROPC Authentication Flow
id: 55695bc0-c8cf-461f-a379-2535f563c854
description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.  
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022/06/01
references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    properties.message: ROPC
  condition: selection
falsepositives:
  - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
level: medium
status: experimental
tags: 
  - attack.t1078
  - attack.defense_evasion
  - attack.persistence
  - attack.privilege_escalation
  - attack.initial_access