Azure AD Change to Trusted IP Configuration
Detection overview
Triggers
- A change to a trusted IP configuration in Azure was observed in either the AzureAD Known Networks configuration or the configuration for trusted networks for multi-factor authentication.
Possible Root Causes
- Attackers may add networks to the trusted networks ranges to allow them to bypass security controls under conditional access policies or to bypass MFA requirements.
- System administrators may add trusted networks to allow trusted environments to have different security policies applied to them.
Business Impact
- Modifications to the trusted network configuration may introduce risks by allowing particular IP addresses/ranges to bypass critical security controls.
- Trade-offs in favor of usability over security can be achieved through the configuration of trusted IPs, but when abused or misconfigured can increase risk to an organization by disabling expected security controls.
Steps to Verify
- Investigate the IP addresses to determine if they should be trusted by the organization. • Contact the owner of the account that made the change to verify it was done legitimately.
Azure AD Change to Trusted IP Configuration
Possible root causes
Malicious Detection
Benign Detection
Azure AD Change to Trusted IP Configuration
Example scenarios
Azure AD Change to Trusted IP Configuration
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Change to Trusted IP Configuration
Steps to investigate
Azure AD Change to Trusted IP Configuration
Related detections
No items found.