Lateral movement
Azure AD Suspicious Device Registration
Detection overview
The “Azure AD Suspicious Device Registration” detection alerts security teams to the registration of a new device in Azure Active Directory under potentially suspicious circumstances. This detection can indicate attempts to maintain unauthorized persistence within an organization’s Azure AD environment by attackers who have already gained some level of account access.
Triggers
- A new device has suspiciously been registered to an account which may provide an attacker with persistent access to your tenant.
Possible Root Causes
- An attacker may have compromised an account and registered a new device in the environment to maintain continued persistence. By registering a new device in the tenant, the attacker’s ongoing access may be extended beyond the method of initial compromise.
- A legitimate user might have registered a new personal or official work device under unexpected circumstances.
Business Impact
- An attacker who controls tenant-registered devices could bypass policies related to login requirements and access, enabling persistent access to cloud and potentially network data.
Steps to Verify
- Review whether the location of the registration and device type aligns with the user’s expected activity.
- Consult the available logs to determine if the activity prior to the registration is as expected. • Reach out to the account owner to confirm that they registered the device.
Azure AD Suspicious Device Registration
Possible root causes
Malicious Detection
Attackers who gain access to an account may register their own device to maintain persistent access, effectively bypassing certain security policies, such as Multi-Factor Authentication (MFA). This allows the attacker to avoid re-entering compromised credentials while blending in with regular account activity.
Benign Detection
Legitimate users might also register new devices unexpectedly, such as when adding a new work device or personal phone. Such behavior is typically routine but may occasionally appear suspicious if the device registration circumstances are unusual.
Azure AD Suspicious Device Registration
Example scenarios
1. Suspicious Location Registration
An employee's account registers a new device from an international location unusual for the account owner’s normal operations. This activity might indicate unauthorized access by an attacker attempting to register a personal device for ongoing access.
2. Inconsistent Device Type
An account assigned to an office-based role registers a mobile device that appears unrelated to their work environment, potentially signaling a compromised account or unauthorized personal device access.
Azure AD Suspicious Device Registration
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Persistent unauthorized access
Attackers with device-level access can exploit this foothold for ongoing data exfiltration and may evade certain policy-based restrictions on account access.
Increased compliance risks
Unmonitored devices accessing Azure AD pose compliance risks, potentially violating data protection requirements if unauthorized access occurs.
Increased risk to data and cloud resources
An attacker could leverage the registered device to access sensitive applications or resources, exposing business-critical data to unauthorized parties.
Azure AD Suspicious Device Registration
Steps to investigate
Confirm registration location and device type
Verify that the location and device type associated with the registration align with expected user activity.
Examine preceding activities
Review logs and authentication events before registration to identify any unusual behavior that may suggest a compromised account.
Contact the account owner
Directly confirm with the account holder whether they initiated the device registration.
Monitor for related suspicious activities
Continuously monitor the account and associated device for any further suspicious behaviors, such as abnormal login times or access to sensitive resources.
Azure AD Suspicious Device Registration
Related detections
FAQs
What is considered suspicious in a device registration event?
A device registered from an unfamiliar location or with an unknown device type often raises flags.
How can an attacker benefit from device registration in Azure AD?
It allows attackers to establish persistence, bypass login restrictions, and maintain access even if other security controls are applied.
What is the first step if this detection is triggered?
First, verify the registration details against expected user activity and contact the user if any inconsistencies are found.
Does this detection mean the account is compromised?
Not necessarily; legitimate users may sometimes trigger this detection. However, it’s important to investigate to rule out malicious activity.
How can I distinguish between an employee and attacker device registration?
Analyzing the device's registration context, such as location, timing, and prior activity, helps distinguish between legitimate and unauthorized registrations.
Could this be triggered by a corporate device update?
Yes, if employees register new corporate devices, especially from offsite locations, this detection might be triggered.
Is there a specific log to review for more details?
Azure AD audit logs are valuable for identifying the device registration’s origin, timing, and associated account.
Should I disable the device immediately?
Disabling the device without verification may disrupt legitimate user access; instead, start by confirming with the user and reviewing registration logs.
How often should this detection be reviewed?
Ideally, review all suspicious device registrations immediately and periodically reassess devices in Azure AD for unauthorized persistence.
What are some other detections associated with account persistence?
Suspicious MFA registrations, trusted IP modifications, and unusual sign-ins are also indicative of account persistence efforts.