Azure AD MFA disabled

azure

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

Goal

Detect when multi-factor authentication (MFA) is disabled for an Azure AD user.

Strategy

This rule monitors the following Azure AD Audit Log event to detect when a user’s MFA is disabled:

  • Disable Strong Authentication

Disabling MFA makes an account more vulnerable to takeover. Attackers may attempt to disable MFA to gain access other user accounts or maintain persistence in an already-compromised account.

Triage and response

  1. Determine if user {{@properties.targetResources.userPrincipalName}} was expected to have their MFA disabled.

  2. If the change was not expected by the user:

    • Investigate other signals and suspicous behavior by {{@properties.targetResources.userPrincipalName}}.
    • Disable the affected user accounts.
    • Rotate user credentials.
    • Ensure MFA policies ares accurately enforced across your Azure AD tenant.
    • Begin your organization’s incident response process and investigate.

  3. If the change was made by the user:

    • Determine if the user was authorized to make that change.
    • If Yes, confirm the user is assigned MFA policies assigned in accordance with organizational requirements.
    • If No, verify there are no other signals or suspicious behavior from {{@properties.targetResources.userPrincipalName}}.