User Risk and MFA Registration Policy Updated

 1title: User Risk and MFA Registration Policy Updated
 2id: d4c7758e-9417-4f2e-9109-6125d66dabef
 3status: experimental
 4description: |
 5    Detects changes and updates to the user risk and MFA registration policy.
 6    Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.    
 7references:
 8    - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
 9    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
10author: Harjot Singh (@cyb3rjy0t)
11date: 2024-08-13
12tags:
13    - attack.persistence
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        LoggedByService: 'AAD Management UX'
20        Category: 'Policy'
21        OperationName: 'Update User Risk and MFA Registration Policy'
22    condition: selection
23falsepositives:
24    - Known updates by administrators.
25level: high

References

• Configure the MFA registration policy - Microsoft Entra ID Protection

  

  Learn how to configure the Microsoft Entra ID Protection multifactor authentication registration policy.

  
  Read More

• Microsoft Entra audit log activity reference - Microsoft Entra ID

  

  Get an overview of the audit activities that can be logged in your audit logs in Microsoft Entra ID.

  
  Read More

Related rules

• Multi Factor Authentication Disabled For User Account
• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group
• A New Trust Was Created To A Domain
• A Security-Enabled Global Group Was Deleted