Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Identity and Access Management

Azure AD MFA Disabled

Azure AD MFA Disabled
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The "Azure AD MFA Disabled" detection focuses on identifying instances where Multi-Factor Authentication (MFA) is disabled for user accounts in Azure Active Directory (Azure AD). MFA is a critical security measure that adds an additional layer of protection beyond just passwords. Disabling MFA can significantly weaken account security, making it easier for attackers to gain unauthorized access.

Triggers

  • An account was observed disabling Multi-Factor Authentication (MFA) for another account.

Possible Root Causes

  • An attacker is disabling MFA on an account to bypass this security control as a means of maintaining or acquiring additional access to the environment.
  • Administrators may disable MFA for accounts used by automated processes or to temporarily enable users to access an environment after losing their second factor device.

Business Impact

  • MFA is a critical security control that if bypassed may be indicative of an active threat in the environment or increase risk of the account becoming compromised in the future.
  • Compromised accounts provide attackers with access to critical systems and data which may be stolen, modified, or deleted.

Steps to Verify

  • Review the account and internal policy to determine if MFA should be enabled for this account.
  • Verify the action of disabling MFA on this account was intentional and followed internal security policies and change control processes.
Azure AD MFA Disabled

Possible root causes

Malicious Detection

  • An attacker has gained access to an administrative account and is disabling MFA to facilitate unauthorized access.
  • Compromised credentials of a user with privileges to modify MFA settings.
  • Insider threat where an employee intentionally disables MFA for malicious purposes.

Benign Detection

  • Administrative tasks involving the temporary disabling of MFA for troubleshooting or support purposes.
  • Scheduled security assessments or penetration tests.
  • Misconfiguration or errors during legitimate administrative tasks.
Azure AD MFA Disabled

Example scenarios

Scenario 1: An attacker gains access to a compromised administrative account in Azure AD and disables MFA for multiple user accounts to facilitate further unauthorized access. This detection is triggered by the sudden change in MFA settings.

Scenario 2: During a scheduled security assessment, the penetration testing team disables MFA for specific test accounts to evaluate the organization's detection and response capabilities. The detection is triggered, and the activity is verified as part of the assessment.

Azure AD MFA Disabled

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Account Compromise & Privilege Escalation

Easier unauthorized access to user accounts without the additional layer of MFA protection. Attackers can gain further access to sensitive resources and escalate their privileges within the network.

Data Breach & Operational Disruption

Increased risk of unauthorized access to sensitive data and critical systems. Potential for attackers to disrupt services and operations.

Compliance Violations

Non-compliance with security policies and regulations that mandate the use of MFA.

Azure AD MFA Disabled

Steps to investigate

Review MFA Settings Change Logs

  • Check Azure AD logs for details on when and by whom MFA was disabled.
  • Identify the source IP address and user account involved in the change.

Correlate with User Activity

  • Verify if the user who disabled MFA has the necessary privileges and if their actions align with their role.
  • Check for recent changes in the user’s behavior or login patterns.

Examine Tools and Scripts

  • Check for the presence of any known tools or scripts that could have been used to disable MFA.
  • Review any automated tasks or scripts that interact with MFA settings.

Conduct a Threat Hunt

  • Search for other indicators of compromise or malicious activity associated with the same user or IP address.
  • Verify if the detected activity is part of a scheduled security assessment or penetration test.
Azure AD MFA Disabled

MITRE ATT&CK techniques covered

Impair Defenses

T1562

Valid Accounts

T1078

Account Manipulation

T1098

Modify Authentication Process

T1556

Trusted Relationship

T1199
Azure AD MFA Disabled

Related detections

Azure AD Newly Created Admin Account

Azure AD Suspicious Sign-on

Azure AD Privilege Operation Anomaly

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What does disabling Azure AD MFA mean?

Disabling Azure AD MFA means turning off the multi-factor authentication requirement for user accounts, reducing the security protection provided by requiring a second form of verification beyond just passwords.

What are the common signs of unauthorized MFA disabling?

Signs include disabling MFA during non-business hours, from unfamiliar IP addresses, or by users who do not typically perform such administrative tasks.

Can legitimate activities trigger the detection of MFA being disabled?

Yes, routine administrative tasks, security assessments, or troubleshooting activities can trigger this detection. It’s important to verify the context of the activity.

How does Vectra AI detect the disabling of MFA in Azure AD?

Vectra AI uses advanced AI algorithms to analyze Azure AD activity and identify patterns indicative of MFA being disabled, correlating these with other suspicious behaviors.

What is the business impact of disabling MFA?

The primary risks are account compromise, privilege escalation, data breaches, operational disruptions, and compliance violations, which can lead to significant damage to the organization.

How can I detect when MFA is disabled in Azure AD?

Monitoring Azure AD logs for changes to MFA settings and setting up alerts for any instances of MFA being disabled can help detect these events.

Why is disabling MFA a significant threat?

Disabling MFA significantly weakens account security, making it easier for attackers to gain unauthorized access and perform malicious actions within the environment.

What steps should I take if I detect MFA being disabled?

Investigate the source of the change, verify if it was authorized, check for other signs of malicious activity, and re-enable MFA if it was disabled without proper authorization.

What tools can help verify the presence of unauthorized MFA disabling?

Tools like Azure AD Audit Logs, security information and event management (SIEM) systems, and specialized monitoring solutions can help identify unauthorized changes to MFA settings.

How can I prevent unauthorized disabling of MFA?

Implement strict access controls, regularly review admin privileges, monitor AD activity, use strong authentication methods, and conduct regular audits of user activity.