Admin Registered Security Info
Azure
Admin Registered Security Info
Event
Records an administrator registering authentication methods (e.g., MFA) on behalf of another user in Entra ID.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised User Administrator account draco@fantasticlogs.cloud registers a new authentication method (a phone number under his control) on behalf of victim neville@fantasticlogs.cloud. Once an attacker-controlled MFA method exists on the victim’s account, the attacker can self-service-reset Neville’s password via SMS challenge — no further admin action needed. Maps to T1556.006 (Multi-Factor Authentication — modify auth method).
{ "id": "Directory_90000000-0000-4000-8000-000001101110_8B2A4_55397128", "category": "UserManagement", "correlationId": "90000000-0000-4000-8000-000001101110", "result": "success", "resultReason": "", "activityDisplayName": "Admin registered security info", "activityDateTime": "2026-04-15T19:14:02.7184310Z", "loggedByService": "Authentication Methods", "operationType": "Update", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "30000000-0000-4000-8000-000000000100", "displayName": "Neville Longbottom", "type": "User", "userPrincipalName": "neville@fantasticlogs.cloud", "groupType": null, "modifiedProperties": [] } ], "additionalDetails": [ { "key": "AuthenticationMethod", "value": "Phone" }, { "key": "UserAgent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" } ]}MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1556.006 — Multi-Factor Authentication — Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...