Data Source: Microsoft Entra ID

Microsoft Entra ID Rare Authentication Requirement for Principal User

Apr 16, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Sign-in Logs Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Initial Access Resources: Investigation Guide ·

Share on:

Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity.

Microsoft Entra ID Illicit Consent Grant via Registered Application

Mar 27, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Audit Logs Use Case: Identity and Access Audit Resources: Investigation Guide Tactic: Initial Access Tactic: Credential Access ·

Share on:

Identifies an illicit consent grant request on-behalf-of a registered Entra ID application. Adversaries may create and register an application in Microsoft Entra ID for the purpose of requesting user consent to access resources. This is accomplished by tricking a user into granting consent to the application, typically via a pre-made phishing URL. This establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user.

Microsoft Entra ID Conditional Access Policy (CAP) Modified

Mar 27, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Audit Logs Use Case: Identity and Access Audit Use Case: Configuration Audit Tactic: Persistence Resources: Investigation Guide ·

Share on:

Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity.

First Occurrence of Entra ID Auth via DeviceCode Protocol

Mar 25, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Use Case: Identity and Access Audit Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies when a user is observed for the first time in the last 14 days authenticating using the device code authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.

Entra ID Device Code Auth with Broker Client

Jan 22, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Use Case: Identity and Access Audit Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).