---
title: Anthropic Compliance SSO disabled on organization
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anthropic Compliance SSO disabled on
  organization
---

# Anthropic Compliance SSO disabled on organization

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1556-modify-authentication-process](https://attack.mitre.org/techniques/T1556) 
## Goal{% #goal %}

Detects when SSO is disabled on an Anthropic organization, allowing users to authenticate using weaker fallback methods.

## Strategy{% #strategy %}

This rule monitors Anthropic Compliance activities for `org_sso_toggled` events with `@enabled` set to `false`. When SSO is turned off, users can log in using social providers (Google, Apple, Microsoft) or magic-link instead of the organization's identity provider, bypassing centralized session controls, conditional access policies, and group-based provisioning. Disabling SSO is a classic pre-attack step taken either by a compromised admin or a malicious insider.

## Triage and response{% #triage-and-response %}

- Verify whether `{{@usr.email}}` had a documented reason to disable SSO (planned migration, IDP outage).
- Examine subsequent login activity (`social_login_succeeded`, `magic_link_login_succeeded`) for users authenticating using non-SSO methods.
- Review any privilege escalation events that occurred shortly before this change.
- Confirm whether SSO was promptly re-enabled.