
Entra ID Conditional Access MFA Bypass with Unusual User, Client and Source ASN
Elastic Detection Rules
View SourceSummary
This rule detects the first observed sign-in to Microsoft Graph via a Microsoft first-party public client using single-factor, password-only authentication, in scenarios where a Conditional Access (CA) policy configured with an all-resources exclusion omits MFA enforcement. The reliable fingerprint is in the per-policy results: when an MFA grant control is present but returned as notApplied for a sign-in that used single-factor authentication, indicating MFA was silently skipped while a baseline User.Read/openid/profile/email token was issued to Graph. The detector anchors on the combination of user, application, and source ASN within a history window and uses the known first-party app owner tenant (app_owner_tenant_id) to cover all Microsoft-first-party clients (not tied to a fixed client ID). It relies on azure.signinlogs.properties.applied_conditional_access_policies.enforced_grant_controls: "Mfa" and .result: "notApplied", with authentication_requirement: "singleFactorAuthentication" and resource_id/display_name pointing to Microsoft Graph. The overall conditional_access_status is not a failure (sign-in is not blocked) and may show success or notApplied, which can obscure this bypass if one looks only at CA failures. The rule maps to MITRE ATT&CK techniques T1556 (Modify Authentication Process) with T1556.009 (Conditional Access) and T1078 (Valid Accounts, Cloud Accounts) and focuses on the cloud/identity domain. It includes a wide investigation workflow: confirm user identity and role, verify the app identity, evaluate source ASN/location, inspect applied conditional access policies, and correlate with graphactivitylogs for directory enumeration. The detection is designed to minimize false positives by restricting to new terms per (user, app, ASN) and by requiring specific CA policy results, while acknowledging legitimate first-party app usage and onboarding scenarios. Remediation emphasizes disabling the bypass, tightening all-resources CA policies, auditing CA exclusions, reviewing related Graph activity, and revoking tokens if unauthorized.
Categories
- Cloud
- Azure
- Identity Management
- Application
Data Sources
- Active Directory
ATT&CK Techniques
- T1556
- T1556.009
- T1078
- T1078.004
Created: 2026-06-22