Update Conditional Access Policy
Event
Modifies an existing Conditional Access policy, changing the conditions or controls that govern how users authenticate.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
Entra ID Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...