The "Azure AD Suspicious Factor Registration" detection alerts security teams to the registration of a potentially unauthorized authentication factor, such as multi-factor authentication (MFA), to an account in Azure Active Directory. This detection indicates the possibility of an attacker attempting to retain persistent access by adding a new authentication method, which could bypass conventional security controls.
Attackers who have gained control of an account may add new authentication factors, such as a secondary MFA method, to maintain persistent access to the environment. This additional factor serves as an alternative means of entry, allowing the attacker to circumvent account restrictions or remain undetected despite changes to the primary account credentials.
Legitimate users may sometimes register a new authentication method, such as updating or adding an MFA device. This can occur when a user changes devices or adjusts their authentication preferences, which could appear suspicious if it deviates from typical registration patterns within the organization.
An attacker who compromises an account registers a new MFA factor during off-hours, hoping it will go undetected, and plans to use it for persistent access.
A factor is registered from an unrecognized device that does not align with the user’s usual equipment, raising suspicion of unauthorized access.
If this detection indicates a genuine threat, the organization faces significant risks:
Attackers could bypass access restrictions, maintaining undetected access with the use of an unauthorized authentication factor.
Persistent access to Azure AD through a secondary factor may allow attackers to exfiltrate or manipulate sensitive data.
Unauthorized access due to a fraudulent authentication factor could expose the organization to compliance violations by enabling access to restricted systems.
Examine the location, timing, and type of authentication factor registered for any inconsistencies with expected behavior.
Review recent authentication and activity logs for any suspicious patterns preceding the registration.
Confirm directly with the account holder if they initiated the registration of the new factor.
Track future access events to ensure no further suspicious activities are associated with the new authentication factor.
Unusual timing, location, or device type for the factor registration can indicate a suspicious factor.
First, verify the registration details with the account owner and review associated activity logs for further anomalies.
Reviewing the registration’s origin, time, and associated device, along with confirming with the user, can help determine legitimacy.
Failing to investigate could allow attackers to retain undetected access, leading to potential data breaches or system disruptions.
Not until verifying legitimacy, as disabling legitimate user access without verification could disrupt business activities.
It may allow attackers who have compromised an account to maintain access without detection by leveraging a secondary factor.
Not always; sometimes a legitimate user action may trigger this detection, but it’s critical to investigate thoroughly.
Yes, in cases where IT registers factors on behalf of users, though this should follow strict change control procedures.
Yes, attackers often use phishing to acquire initial access, which they can then expand by adding authentication factors.
Other detections include suspicious sign-ons, unusual device registrations, and MFA failures that might accompany this behavior.