Skip to content
Threat Feed
medium advisory

Entra ID External Authentication Methods (EAM) Modified

Modification of Entra ID external authentication methods (EAM) via the Microsoft Graph API can allow attackers to bypass multi-factor authentication (MFA) and establish persistence or gain unauthorized access via bring-your-own IdP (BYOIDP) methods.

Attackers are increasingly targeting cloud identity providers to establish persistence and bypass security controls. This rule detects modifications to external authentication methods (EAMs) within Microsoft Entra ID, leveraging the Microsoft Graph API. The activity is focused on manipulating authentication policies to allow attackers to bypass multi-factor authentication (MFA) requirements. Successful modification of EAMs can enable adversaries to use bring-your-own identity provider (BYOIDP) methods, granting them unauthorized access to user accounts and sensitive resources. The targeted scope is Entra ID environments, and the activity involves the use of PATCH requests to the /authenticationMethodsPolicy endpoint.

Attack Chain

  1. An attacker compromises an account with sufficient privileges to modify Entra ID authentication settings.
  2. The attacker authenticates to Azure using the compromised account's credentials.
  3. The attacker crafts a PATCH request to the Microsoft Graph API endpoint /authenticationMethodsPolicy.
  4. The PATCH request modifies the configuration of external authentication methods (EAMs) within Entra ID.
  5. The attacker leverages privileged scopes such as AuthenticationMethod.ReadWrite.All for the request.
  6. The attacker successfully bypasses MFA for targeted user accounts using the modified EAM settings.
  7. The attacker gains unauthorized access to sensitive resources within the Entra ID environment.
  8. The attacker maintains persistence by continually using the modified authentication methods.

Impact

Successful exploitation can lead to unauthorized access to sensitive data and systems within the Entra ID environment. Attackers can establish persistent access, even if the original compromised account is remediated. The impact spans across any applications and resources relying on Entra ID for authentication. Depending on the compromised account's permissions, the attacker could potentially escalate privileges and gain control over the entire Entra ID tenant.

Recommendation

  • Deploy the Sigma rule "Entra ID External Authentication Methods (EAM) Modified" to detect modifications to authentication policies (rule.query).
  • Investigate any detected activity where http.request.method is "PATCH" and url.path contains authenticationMethodsPolicy (rule.query).
  • Review and restrict the assignment of the AuthenticationMethod.ReadWrite.All scope to service principals to limit the potential for abuse (references).
  • Monitor Azure Graph Activity logs for unusual activity related to EAM settings and correlate with other identity-related events (rule.index).
  • Implement stricter RBAC or conditional access policies to prevent unauthorized EAM changes in the future (references).

Detection coverage 2

Entra ID External Authentication Methods (EAM) Modified

medium

Detects modifications to external authentication methods (EAMs) in Microsoft Entra ID via the Microsoft Graph API, indicating potential MFA bypass and persistence attempts.

sigma tactics: persistence techniques: T1556.009 sources: webserver, linux

Entra ID Graph API Request with AuthenticationMethod.ReadWrite.All Scope

medium

Detects Graph API requests using the AuthenticationMethod.ReadWrite.All scope, which is required to manage authentication methods.

sigma tactics: persistence techniques: T1556.009 sources: webserver, linux

Detection queries are available on the platform. Get full rules →