Disable Strong Authentication
Azure
Disable Strong Authentication
Event
Disables multi-factor authentication for a user account, weakening authentication security.
Security Context
- Disabling MFA removes the second authentication factor, making the account vulnerable to password-only attacks and enabling persistent access with stolen credentials alone.
- Adversaries disable MFA on compromised accounts to ensure continued access even if the password is changed, and to avoid triggering MFA challenges during automated operations.
Log Source
Entra ID Audit Logs
Sample Event
Compromised user draco@fantasticlogs.cloud (already privileged from an earlier elevateAccess call) hits the legacy per-user MFA endpoint to disable Strong Authentication on his own account, ensuring stolen credentials alone are sufficient for future logins (T1556). The PowerShell user-agent reflects the legacy MSOnline path most red-team playbooks still use.
{ "id": "Directory_90000000-0000-4000-8000-001010011100_8E4F2_91187533", "category": "UserManagement", "correlationId": "90000000-0000-4000-8000-001010011100", "result": "success", "resultReason": "", "activityDisplayName": "Disable Strong Authentication", "activityDateTime": "2026-04-15T18:04:51.6037229Z", "loggedByService": "Core Directory", "operationType": "Update", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "type": "User", "userPrincipalName": "draco@fantasticlogs.cloud", "groupType": null, "modifiedProperties": [ { "displayName": "StrongAuthenticationRequirement", "oldValue": "[{\"State\":1,\"RememberDevicesNotIssuedBefore\":\"2026-01-15T00:00:00Z\"}]", "newValue": "[]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"StrongAuthenticationRequirement\"" } ] } ], "additionalDetails": [ { "key": "User-Agent", "value": "Mozilla/5.0 (Windows NT; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.1" } ]}MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...