Azure AD new verified domain added to tenant

azure

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1078-valid-accounts

Set up the azure integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an account adds a new domain to the tenant. This may indicate an attacker preparing a domain to later use in a trusted domain (also known as federated) attack.

Strategy

Monitor Azure AD audit logs for the following events:

  • Add unverified domain
  • Verify domain

Triage and Response

  1. Check if the user is a known administrator or if the action aligns with their normal activities.
  2. Review recent sign-ins (Azure AD Sign-in Logs) to see if the user’s authentication patterns are unusual (for example, logins from unexpected locations or multiple failed login attempts).
  3. Review if federation settings have been configured for the domain. If federated authentication is configured, ensure this an expected configuration. Federated domains are able to authenticate users on behalf of your Azure AD tenant.
  4. If the domain addition is unauthorized, remove it immediately.
  5. If the action was performed by a compromised account, disable the account and reset its credentials.