Skip to content
Threat Feed
medium advisory

Entra ID MFA Disabled for User

Detection of multi-factor authentication (MFA) being disabled for an Entra ID user account, potentially weakening account security and leading to compromise.

This threat brief focuses on the detection of adversaries disabling multi-factor authentication (MFA) for Entra ID user accounts. The disabling of MFA weakens the authentication requirements for the account, making it easier for attackers to gain unauthorized access. This activity can be carried out by malicious insiders or external attackers who have already compromised administrative credentials. While legitimate administrators can also disable MFA, any such activity should be carefully scrutinized. The technique has been observed across various cloud environments, and it is a common step in broader attack campaigns aimed at persistence, credential access, and defense evasion. This alert is based on activity logged in the Azure audit logs.

Attack Chain

  1. An attacker gains initial access to an account with sufficient privileges to modify user authentication settings, possibly through phishing or credential stuffing.
  2. The attacker authenticates to the Azure portal or uses PowerShell/CLI with compromised credentials.
  3. The attacker navigates to the Entra ID (Azure AD) user management section.
  4. The attacker identifies a target user account for which they want to disable MFA.
  5. The attacker disables MFA for the target user account by removing registered authentication methods or disabling MFA at the user level. This could involve either disabling "Strong Authentication" or deleting security info related to "AuthenticationMethod".
  6. The Azure Audit Logs record an event indicating that MFA was disabled for the user.
  7. The attacker attempts to authenticate to the target user account without MFA, gaining unauthorized access.
  8. The attacker leverages the compromised account to access sensitive resources, move laterally within the environment, or establish persistence.

Impact

Compromising an Entra ID user account can grant attackers access to a wide range of resources and services within the Azure environment, including sensitive data, applications, and infrastructure components. If MFA is disabled for a privileged account, the impact can be particularly severe, potentially leading to complete control over the organization's cloud infrastructure. Successful attacks can result in data breaches, financial losses, and reputational damage. The number of potential victims is vast, as Entra ID is used by organizations of all sizes across various sectors.

Recommendation

  • Deploy the Sigma rule "Entra ID MFA Disabled for User" to your SIEM and tune it for your environment to detect MFA disablement events in Azure audit logs.
  • Investigate any alerts generated by the Sigma rule to determine whether the MFA disablement was legitimate or malicious.
  • Review the permissions assigned to users who have the ability to disable MFA to ensure that the principle of least privilege is being followed.
  • Implement security defaults provided by Microsoft to enforce MFA for all users.
  • Correlate with Entra ID Sign-In Logs to identify anomalous sign-in attempts following MFA disablement as described in the overview.
  • Enable Azure Audit Logs and ensure they are being collected and analyzed by your SIEM as this is the primary source for this detection.

Detection coverage 2

Entra ID MFA Disabled for User

medium

Detects when multi-factor authentication (MFA) is disabled for an Entra ID user account.

sigma tactics: credential_access, defense_evasion, persistence techniques: T1556.006 sources: audit, azure

Entra ID MFA Deletion Confirmation

medium

Detects an Entra ID MFA deletion event confirmed via user security info.

sigma tactics: credential_access, defense_evasion, persistence techniques: T1556.006 sources: audit, azure

Detection queries are available on the platform. Get full rules →