Roles Activation Doesn't Require MFA

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.t1078 attack.persistence attack.privilege-escalation ·

Share on:

Identifies when a privilege role can be activated without performing mfa.

Sigma rule (View on GitHub)

 1title: Roles Activation Doesn't Require MFA
 2id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0
 3status: test
 4description: Identifies when a privilege role can be activated without performing mfa.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.t1078
13    - attack.persistence
14    - attack.privilege-escalation
15logsource:
16    product: azure
17    service: pim
18detection:
19    selection:
20        riskEventType: 'noMfaOnRoleActivationAlertIncident'
21    condition: selection
22falsepositives:
23    - Investigate if user is performing MFA at sign-in.
24level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Roles Activation Doesn't Require MFA

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules