Skip to content

Disable Strong Authentication

Azure

Disable Strong Authentication

service: Azure - Microsoft Entra ID
tactics:
techniques:

Event

Disables multi-factor authentication for a user account, weakening authentication security.

Security Context

  • Disabling MFA removes the second authentication factor, making the account vulnerable to password-only attacks and enabling persistent access with stolen credentials alone.
  • Adversaries disable MFA on compromised accounts to ensure continued access even if the password is changed, and to avoid triggering MFA challenges during automated operations.

Log Source

Entra ID Audit Logs

Sample Event

Compromised user draco@fantasticlogs.cloud (already privileged from an earlier elevateAccess call) hits the legacy per-user MFA endpoint to disable Strong Authentication on his own account, ensuring stolen credentials alone are sufficient for future logins (T1556). The PowerShell user-agent reflects the legacy MSOnline path most red-team playbooks still use.

{
"id": "Directory_90000000-0000-4000-8000-001010011100_8E4F2_91187533",
"category": "UserManagement",
"correlationId": "90000000-0000-4000-8000-001010011100",
"result": "success",
"resultReason": "",
"activityDisplayName": "Disable Strong Authentication",
"activityDateTime": "2026-04-15T18:04:51.6037229Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"type": "User",
"userPrincipalName": "draco@fantasticlogs.cloud",
"groupType": null,
"modifiedProperties": [
{
"displayName": "StrongAuthenticationRequirement",
"oldValue": "[{\"State\":1,\"RememberDevicesNotIssuedBefore\":\"2026-01-15T00:00:00Z\"}]",
"newValue": "[]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"StrongAuthenticationRequirement\""
}
]
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "Mozilla/5.0 (Windows NT; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.1"
}
]
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...