Azure AD Change to Trusted IP Configuration

View all detections
Azure AD Change to Trusted IP Configuration

Triggers

  • A change to a trusted IP configuration in Azure was observed in either the AzureAD Known Networks configuration or the configuration for trusted networks for multi-factor authentication.

Possible Root Causes

  • Attackers may add networks to the trusted networks ranges to allow them to bypass security controls under conditional access policies or to bypass MFA requirements.
  • System administrators may add trusted networks to allow trusted environments to have different security policies applied to them.

Business Impact

  • Modifications to the trusted network configuration may introduce risks by allowing particular IP addresses/ranges to bypass critical security controls.
  • Trade-offs in favor of usability over security can be achieved through the configuration of trusted IPs, but when abused or misconfigured can increase risk to an organization by disabling expected security controls.

Steps to Verify

  • Investigate the IP addresses to determine if they should be trusted by the organization. • Contact the owner of the account that made the change to verify it was done legitimately.