Roles Activation Doesn't Require MFA

 1title: Roles Activation Doesn't Require MFA
 2id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0
 3status: experimental
 4description: Identifies when a privilege role can be activated without performing mfa.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023/09/14
 9tags:
10    - attack.t1078
11    - attack.persistence
12    - attack.privilege_escalation
13logsource:
14    product: azure
15    service: pim
16detection:
17    selection:
18        riskEventType: 'noMfaOnRoleActivationAlertIncident'
19    condition: selection
20falsepositives:
21    - Investigate if user is performing MFA at sign-in.
22level: high

References

• Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

  

  Configure security alerts for Microsoft Entra roles Privileged Identity Management.

  
  Read More

Related rules

• Invalid PIM License
• Roles Activated Too Frequently
• Roles Are Not Being Used
• Roles Assigned Outside PIM
• Stale Accounts In A Privileged Role