Device Registration or Join Without MFA

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.initial-access attack.defense-evasion attack.t1078.004 ·

Share on:

Monitor and alert for device registration or join events where MFA was not performed.

Sigma rule (View on GitHub)

 1title: Device Registration or Join Without MFA
 2id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
 3status: test
 4description: Monitor and alert for device registration or join events where MFA was not performed.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
 7author: Michael Epping, '@mepples21'
 8date: 2022-06-28
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.initial-access
13    - attack.defense-evasion
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: signinlogs
18detection:
19    selection:
20        ResourceDisplayName: 'Device Registration Service'
21        conditionalAccessStatus: 'success'
22    filter_mfa:
23        AuthenticationRequirement: 'multiFactorAuthentication'
24    condition: selection and not filter_mfa
25falsepositives:
26    - Unknown
27level: medium

References

Microsoft Entra security operations for devices - Microsoft Entra

Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.

Read More

Device Registration or Join Without MFA

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for devices - Microsoft Entra

Related rules