Disable Strong Authentication
Event
Disables multi-factor authentication for a user account, weakening authentication security.
Security Context
- Disabling MFA removes the second authentication factor, making the account vulnerable to password-only attacks and enabling persistent access with stolen credentials alone.
- Adversaries disable MFA on compromised accounts to ensure continued access even if the password is changed, and to avoid triggering MFA challenges during automated operations.
Log Source
Entra ID Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...