Identity and Access Management
Azure AD MFA Disabled
Detection overview
The "Azure AD MFA Disabled" detection focuses on identifying instances where Multi-Factor Authentication (MFA) is disabled for user accounts in Azure Active Directory (Azure AD). MFA is a critical security measure that adds an additional layer of protection beyond just passwords. Disabling MFA can significantly weaken account security, making it easier for attackers to gain unauthorized access.
Triggers
- An account was observed disabling Multi-Factor Authentication (MFA) for another account.
Possible Root Causes
- An attacker is disabling MFA on an account to bypass this security control as a means of maintaining or acquiring additional access to the environment.
- Administrators may disable MFA for accounts used by automated processes or to temporarily enable users to access an environment after losing their second factor device.
Business Impact
- MFA is a critical security control that if bypassed may be indicative of an active threat in the environment or increase risk of the account becoming compromised in the future.
- Compromised accounts provide attackers with access to critical systems and data which may be stolen, modified, or deleted.
Steps to Verify
- Review the account and internal policy to determine if MFA should be enabled for this account.
- Verify the action of disabling MFA on this account was intentional and followed internal security policies and change control processes.
Azure AD MFA Disabled
Possible root causes
Malicious Detection
- An attacker has gained access to an administrative account and is disabling MFA to facilitate unauthorized access.
- Compromised credentials of a user with privileges to modify MFA settings.
- Insider threat where an employee intentionally disables MFA for malicious purposes.
Benign Detection
- Administrative tasks involving the temporary disabling of MFA for troubleshooting or support purposes.
- Scheduled security assessments or penetration tests.
- Misconfiguration or errors during legitimate administrative tasks.
Azure AD MFA Disabled
Example scenarios
Scenario 1: An attacker gains access to a compromised administrative account in Azure AD and disables MFA for multiple user accounts to facilitate further unauthorized access. This detection is triggered by the sudden change in MFA settings.
Scenario 2: During a scheduled security assessment, the penetration testing team disables MFA for specific test accounts to evaluate the organization's detection and response capabilities. The detection is triggered, and the activity is verified as part of the assessment.
Azure AD MFA Disabled
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Account Compromise & Privilege Escalation
Easier unauthorized access to user accounts without the additional layer of MFA protection. Attackers can gain further access to sensitive resources and escalate their privileges within the network.
Data Breach & Operational Disruption
Increased risk of unauthorized access to sensitive data and critical systems. Potential for attackers to disrupt services and operations.
Compliance Violations
Non-compliance with security policies and regulations that mandate the use of MFA.
Azure AD MFA Disabled
Steps to investigate
Review MFA Settings Change Logs
- Check Azure AD logs for details on when and by whom MFA was disabled.
- Identify the source IP address and user account involved in the change.
Correlate with User Activity
- Verify if the user who disabled MFA has the necessary privileges and if their actions align with their role.
- Check for recent changes in the user’s behavior or login patterns.
Examine Tools and Scripts
- Check for the presence of any known tools or scripts that could have been used to disable MFA.
- Review any automated tasks or scripts that interact with MFA settings.
Conduct a Threat Hunt
- Search for other indicators of compromise or malicious activity associated with the same user or IP address.
- Verify if the detected activity is part of a scheduled security assessment or penetration test.
Azure AD MFA Disabled
MITRE ATT&CK techniques covered
Azure AD MFA Disabled
Related detections
FAQs
What does disabling Azure AD MFA mean?
Disabling Azure AD MFA means turning off the multi-factor authentication requirement for user accounts, reducing the security protection provided by requiring a second form of verification beyond just passwords.
How can I detect when MFA is disabled in Azure AD?
Monitoring Azure AD logs for changes to MFA settings and setting up alerts for any instances of MFA being disabled can help detect these events.
What are the common signs of unauthorized MFA disabling?
Signs include disabling MFA during non-business hours, from unfamiliar IP addresses, or by users who do not typically perform such administrative tasks.
Why is disabling MFA a significant threat?
Disabling MFA significantly weakens account security, making it easier for attackers to gain unauthorized access and perform malicious actions within the environment.
Can legitimate activities trigger the detection of MFA being disabled?
Yes, routine administrative tasks, security assessments, or troubleshooting activities can trigger this detection. It’s important to verify the context of the activity.
What steps should I take if I detect MFA being disabled?
Investigate the source of the change, verify if it was authorized, check for other signs of malicious activity, and re-enable MFA if it was disabled without proper authorization.
How does Vectra AI detect the disabling of MFA in Azure AD?
Vectra AI uses advanced AI algorithms to analyze Azure AD activity and identify patterns indicative of MFA being disabled, correlating these with other suspicious behaviors.
What tools can help verify the presence of unauthorized MFA disabling?
Tools like Azure AD Audit Logs, security information and event management (SIEM) systems, and specialized monitoring solutions can help identify unauthorized changes to MFA settings.
What is the business impact of disabling MFA?
The primary risks are account compromise, privilege escalation, data breaches, operational disruptions, and compliance violations, which can lead to significant damage to the organization.
How can I prevent unauthorized disabling of MFA?
Implement strict access controls, regularly review admin privileges, monitor AD activity, use strong authentication methods, and conduct regular audits of user activity.