Azure AD: Users Are Bypassing Your MFA

April 19, 2022
John Mancini
Product Management at Vectra AI
Azure AD: Users Are Bypassing Your MFA

Securing Azure AD With the Vectra Platform

To help security teams validate the effectiveness of their Azure AD security controls and stop future attacks, the Vectra platform continuously monitors user activity and reveals any instances of users bypassing multifactor authentication (MFA) and other preventative controls.

Securing an Azure AD tenant is a challenging task for any security team. A look at the deployment and management of MFA alone shows there are countless settings and access policies that need to be considered and fine-tuned. It is no easy task to configure a tenant without leaving any gaps that a future attacker could abuse – while still meeting the needs of both the business and the users.

Challenges of Securing Azure AD With MFA

Vectra sees this challenge every day in the over one million users across hundreds of organizations that we monitor and protect:

  • In 99% of the tenants, Vectra sees accounts actively leveraging legacy protocols that cannot have MFA applied.
  • In 66% of the tenants, Vectra sees accounts installing OAuth applications, which grants continuous access to user data without any MFA authentication.
  • In 97% of the tenants, Vectra sees accounts accessing native risky power tools like Powershell or the Graph API, which enable high-impact backend changes to environments and pave the way for complex attacks. 

How Vectra’s Platform Helps to Secure Your Azure AD

Vectra’s continuous monitoring enables security teams to understand (1) whether access events like these are occurring in their tenant, (2) who is responsible, and (3) the location of each event. This information enables the teams to validate their security controls against what users are doing and make data-informed improvements to stop future attacks. This monitoring works alongside Vectra's threat-detection functionality to help teams fully secure their Azure AD and M365 environments.

Watch the video to see this functionality in action.

This 24/7 active tenant monitoring delivered by the Vectra Platform can be paired with the software as a service (SaaS) posture management analysis provided by Siriux to further enhance a team’s Azure AD security. Siriux also provides recommendations to improve a tenant’s posture based upon their unique insights into attacker kill chains. Once a tenant has been hardened with Siriux’s prioritized security recommendations, the Vectra platform allows security teams to understand how those changes protect users and more easily validate all configuration changes made to the tenant. Together, the two solutions provide a one-two punch that allows security teams to use best-in-class technologies to stay one step ahead of would-be attackers.