Microsoft Entra User Credentials
Detects Microsoft Entra (formerly Azure AD) user credential patterns including username/password combinations targeting Microsoft login endpoints. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: email-format username combined with password assignment and Microsoft domain context provides strong structural constraint. Added context gating and exclusion rules improve precision and reduce incidental matches.
- Detection quality
- Verified
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- specific
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported
Pattern
(?i)(?:username|user[._-]?id|upn)\s*[:=]\s*"?[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.(?:onmicrosoft\.com|com|org|net)"?\s*[;,\n]\s*(?:password|pwd)\s*[:=]\s*"?[^\s"';,]{6,}"?Corroborative evidence keywords
Entra, Azure AD, onmicrosoft.com, login.microsoftonline.com, user credentials, username, password, Microsoft 365, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+43 more)
Proximity: 300 characters
Should match
username=admin@contoso.onmicrosoft.com;password=P@ssw0rd123— Entra user credentials with onmicrosoft.com domainuser_id="user@example.com" password="TestS3cret"— User credentials in config formatupn=test@contoso.com,pwd=000000000000— UPN with password placeholder
Should not match
username=admin@contoso.onmicrosoft.com— Username without passwordThe user must enter their password to log in— Documentation text, not actual credentialstemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Microsoft identity documentation with example user credentials. Mitigation: Check for common example domains (contoso.com, example.com) and placeholder passwords.
- Automated test scripts with test account credentials. Mitigation: Flag for review since test credentials may still provide access to test environments.