Azure AD Only Single Factor Authentication Required

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1556.006 ·

Detect when users are authenticating without MFA being required.

Sigma rule (View on GitHub)

 1title: Azure AD Only Single Factor Authentication Required
 2id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
 3status: test
 4description: Detect when users are authenticating without MFA being required.
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
 7author: MikeDuddington, '@dudders1'
 8date: 2022-07-27
 9tags:
10    - attack.initial-access
11    - attack.credential-access
12    - attack.t1078.004
13    - attack.t1556.006
14logsource:
15    product: azure
16    service: signinlogs
17detection:
18    selection:
19        Status: 'Success'
20        AuthenticationRequirement: 'singleFactorAuthentication'
21    condition: selection
22falsepositives:
23    - If this was approved by System Administrator.
24level: low

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Azure AD Only Single Factor Authentication Required

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules