Lateral movement

Azure AD Suspicious Device Registration

Azure AD Suspicious Device Registration

Detection overview

The “Azure AD Suspicious Device Registration” detection alerts security teams to the registration of a new device in Azure Active Directory under potentially suspicious circumstances. This detection can indicate attempts to maintain unauthorized persistence within an organization’s Azure AD environment by attackers who have already gained some level of account access.

Triggers

  • A new device has suspiciously been registered to an account which may provide an attacker with persistent access to your tenant.

Possible Root Causes

  • An attacker may have compromised an account and registered a new device in the environment to maintain continued persistence. By registering a new device in the tenant, the attacker’s ongoing access may be extended beyond the method of initial compromise.
  • A legitimate user might have registered a new personal or official work device under unexpected circumstances.

Business Impact

  • An attacker who controls tenant-registered devices could bypass policies related to login requirements and access, enabling persistent access to cloud and potentially network data.

Steps to Verify

  • Review whether the location of the registration and device type aligns with the user’s expected activity.
  • Consult the available logs to determine if the activity prior to the registration is as expected. • Reach out to the account owner to confirm that they registered the device.
Azure AD Suspicious Device Registration

Possible root causes

Malicious Detection

Attackers who gain access to an account may register their own device to maintain persistent access, effectively bypassing certain security policies, such as Multi-Factor Authentication (MFA). This allows the attacker to avoid re-entering compromised credentials while blending in with regular account activity.

Benign Detection

Legitimate users might also register new devices unexpectedly, such as when adding a new work device or personal phone. Such behavior is typically routine but may occasionally appear suspicious if the device registration circumstances are unusual.

Azure AD Suspicious Device Registration

Example scenarios

1. Suspicious Location Registration

An employee's account registers a new device from an international location unusual for the account owner’s normal operations. This activity might indicate unauthorized access by an attacker attempting to register a personal device for ongoing access.

2. Inconsistent Device Type

An account assigned to an office-based role registers a mobile device that appears unrelated to their work environment, potentially signaling a compromised account or unauthorized personal device access.

Azure AD Suspicious Device Registration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Persistent unauthorized access

Attackers with device-level access can exploit this foothold for ongoing data exfiltration and may evade certain policy-based restrictions on account access.

Increased compliance risks

Unmonitored devices accessing Azure AD pose compliance risks, potentially violating data protection requirements if unauthorized access occurs.

Increased risk to data and cloud resources

An attacker could leverage the registered device to access sensitive applications or resources, exposing business-critical data to unauthorized parties.

Azure AD Suspicious Device Registration

Steps to investigate

Azure AD Suspicious Device Registration

MITRE ATT&CK techniques covered

FAQs

What is considered suspicious in a device registration event?

How can an attacker benefit from device registration in Azure AD?

What is the first step if this detection is triggered?

Does this detection mean the account is compromised?

How can I distinguish between an employee and attacker device registration?

Could this be triggered by a corporate device update?

Is there a specific log to review for more details?

Should I disable the device immediately?

How often should this detection be reviewed?

What are some other detections associated with account persistence?