OIDC Discovery URL Changed in Entra ID

Detects a change to the OpenID Connect (OIDC) discovery URL in the Entra ID Authentication Methods Policy. This behavior may indicate an attempt to federate Entra ID with an attacker-controlled identity provider, enabling bypass of multi-factor authentication (MFA) and unauthorized access through bring-your-own IdP (BYOIDP) methods.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/07/14"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/07/31"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects a change to the OpenID Connect (OIDC) discovery URL in the Entra ID Authentication Methods Policy. This behavior
 11may indicate an attempt to federate Entra ID with an attacker-controlled identity provider, enabling bypass of
 12multi-factor authentication (MFA) and unauthorized access through bring-your-own IdP (BYOIDP) methods.
 13"""
 14from = "now-9m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "OIDC Discovery URL Changed in Entra ID"
 18note = """## Triage and analysis
 19
 20### Investigating OIDC Discovery URL Changed in Entra ID
 21
 22This rule detects when the OIDC `discoveryUrl` is changed within the Entra ID Authentication Methods policy. Adversaries may leverage this to federate Entra ID with a rogue Identity Provider (IdP) under their control, allowing them to authenticate users with attacker-owned credentials and bypass MFA. This misconfiguration allows an attacker to impersonate valid users by issuing tokens via a third-party OIDC IdP while still passing validation in Entra ID. This technique has been publicly demonstrated and has critical implications for trust in federated identity.
 23
 24### Possible investigation steps
 25- Review `azure.auditlogs.properties.initiated_by.user.userPrincipalName` and `ipAddress` to identify who made the change and from where.
 26- Examine the `old_oidc_discovery` and `new_oidc_discovery` to confirm if the new `discoveryUrl` points to an unexpected or untrusted IdP.
 27- Check that the discovery URLs have `.well-known/openid-configuration` endpoints, which are standard for OIDC providers.
 28- Use `azure.auditlogs.properties.correlation_id` to pivot to related changes and activity from the same session.
 29- Review any subsequent sign-in activity that may have originated from the new IdP.
 30- Pivot to additional logs associated with the user or application that made the change to identify any further suspicious activity.
 31
 32### False positive analysis
 33- Entra ID administrators may intentionally reconfigure OIDC trust relationships to support new business requirements.
 34- Validate any changes with the identity or security operations team before taking action.
 35
 36### Response and remediation
 37- If the change is unauthorized, immediately revert the discovery URL to the trusted IdP via the Entra ID portal.
 38- Revoke tokens or sessions issued after the configuration change.
 39- Investigate how the unauthorized change occurred (e.g., compromised account or over-privileged app).
 40- Apply conditional access policies and change control procedures to protect IdP configuration changes.
 41"""
 42references = ["https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/"]
 43risk_score = 73
 44rule_id = "498e4094-60e7-11f0-8847-f661ea17fbcd"
 45severity = "high"
 46tags = [
 47    "Domain: Cloud",
 48    "Domain: Identity",
 49    "Data Source: Azure",
 50    "Data Source: Microsoft Entra ID",
 51    "Data Source: Microsoft Entra ID Audit Logs",
 52    "Use Case: Identity and Access Audit",
 53    "Tactic: Persistence",
 54    "Resources: Investigation Guide",
 55]
 56timestamp_override = "event.ingested"
 57type = "esql"
 58
 59query = '''
 60from logs-azure.auditlogs-* metadata _id, _version, _index
 61| where event.action == "Authentication Methods Policy Update"
 62| eval Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
 63| eval Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")
 64| dissect Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace "%{}discoveryUrl\":\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new}\"}%{}"
 65| dissect Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace "%{}discoveryUrl\":\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old}\"}%{}"
 66| where Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new is not null and Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old is not null
 67| where Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new != Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
 68| keep
 69    @timestamp,
 70    event.action,
 71    event.outcome,
 72    azure.tenant_id,
 73    azure.correlation_id,
 74    azure.auditlogs.properties.activity_datetime,
 75    azure.auditlogs.properties.operation_type,
 76    azure.auditlogs.properties.initiated_by.user.userPrincipalName,
 77    azure.auditlogs.properties.initiated_by.user.displayName,
 78    azure.auditlogs.properties.initiated_by.user.ipAddress,
 79    source.geo.city_name,
 80    source.geo.region_name,
 81    source.geo.country_name,
 82    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new,
 83    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1556"
 91name = "Modify Authentication Process"
 92reference = "https://attack.mitre.org/techniques/T1556/"
 93[[rule.threat.technique.subtechnique]]
 94id = "T1556.009"
 95name = "Conditional Access Policies"
 96reference = "https://attack.mitre.org/techniques/T1556/009/"
 97
 98
 99
100[rule.threat.tactic]
101id = "TA0003"
102name = "Persistence"
103reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Investigating OIDC Discovery URL Changed in Entra ID

This rule detects when the OIDC discoveryUrl is changed within the Entra ID Authentication Methods policy. Adversaries may leverage this to federate Entra ID with a rogue Identity Provider (IdP) under their control, allowing them to authenticate users with attacker-owned credentials and bypass MFA. This misconfiguration allows an attacker to impersonate valid users by issuing tokens via a third-party OIDC IdP while still passing validation in Entra ID. This technique has been publicly demonstrated and has critical implications for trust in federated identity.

Possible investigation steps

  • Review azure.auditlogs.properties.initiated_by.user.userPrincipalName and ipAddress to identify who made the change and from where.
  • Examine the old_oidc_discovery and new_oidc_discovery to confirm if the new discoveryUrl points to an unexpected or untrusted IdP.
  • Check that the discovery URLs have .well-known/openid-configuration endpoints, which are standard for OIDC providers.
  • Use azure.auditlogs.properties.correlation_id to pivot to related changes and activity from the same session.
  • Review any subsequent sign-in activity that may have originated from the new IdP.
  • Pivot to additional logs associated with the user or application that made the change to identify any further suspicious activity.

False positive analysis

  • Entra ID administrators may intentionally reconfigure OIDC trust relationships to support new business requirements.
  • Validate any changes with the identity or security operations team before taking action.

Response and remediation

  • If the change is unauthorized, immediately revert the discovery URL to the trusted IdP via the Entra ID portal.
  • Revoke tokens or sessions issued after the configuration change.
  • Investigate how the unauthorized change occurred (e.g., compromised account or over-privileged app).
  • Apply conditional access policies and change control procedures to protect IdP configuration changes.

References

Related rules

to-top