User Removed from Group with Conditional Access Policy Modification Access

This activity involves the removal of a user from an Azure Active Directory (Azure AD) group that possesses the ability to modify Conditional Access (CA) policies. Conditional Access policies are critical for enforcing organizational security standards and access controls. The removal of users from these groups can be an attempt by a malicious actor to disrupt security measures, escalate privileges, or establish persistence within the Azure environment. An attacker with sufficient privileges may remove legitimate administrators from CA policy modification groups to bypass multi-factor authentication or other controls, potentially gaining unauthorized access to sensitive resources. This activity is of concern to defenders as it can be a precursor to more significant compromises.

Attack Chain

1. The attacker gains initial access to an Azure AD account with sufficient privileges, possibly through credential theft or account compromise.
2. The attacker enumerates Azure AD groups to identify those with permissions to manage or modify Conditional Access policies.
3. The attacker identifies a target user account that is a member of the identified privileged group.
4. The attacker uses Azure AD administrative tools or PowerShell cmdlets to remove the target user from the privileged group.
5. The Azure Audit Logs record the event “Remove member from group” related to the targeted group and user.
6. The attacker modifies Conditional Access policies to weaken security controls, such as disabling multi-factor authentication or allowing access from untrusted locations.
7. The attacker leverages the weakened security posture to gain unauthorized access to sensitive resources or data.
8. The attacker establishes persistence by creating new, attacker-controlled accounts with high privileges or by modifying existing accounts to bypass security controls.

Impact

Successful removal of a user from a Conditional Access policy modification group can lead to significant security breaches. Attackers can weaken or disable MFA requirements, bypass location-based restrictions, and gain unauthorized access to sensitive applications and data. This can result in data exfiltration, financial loss, and reputational damage. The scope of the impact depends on the permissions assigned through the compromised Conditional Access policies.

Recommendation

• Deploy the Sigma rule “User Removed From Group With CA Policy Modification Access” to your SIEM to detect unauthorized removal of users from critical groups with CA modification access (logsource: azure, service: auditlogs).
• Investigate any alerts generated by the Sigma rule, focusing on the context of the user removed and the target group (Sigma rule).
• Implement multi-factor authentication (MFA) for all administrative accounts, including those with permissions to manage Conditional Access policies.
• Review and audit Azure AD group memberships regularly, especially for groups with elevated privileges.
• Monitor Azure AD audit logs for suspicious activity related to group membership changes and Conditional Access policy modifications (logsource: azure, service: auditlogs).