Skip to content

Update Conditional Access Policy

Azure

Update Conditional Access Policy

service: Azure - Microsoft Entra ID
techniques:

Event

Modifies an existing Conditional Access policy, changing the conditions or controls that govern how users authenticate.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. draco@fantasticlogs.cloud modifies the existing CA policy CA001 — Require MFA for all admins, adding his own user objectId to the users.excludeUsers list. The policy now excludes Draco from the MFA requirement, letting him authenticate to admin endpoints with only password. Classic T1556 (Modify Authentication Process) attack pattern.

{
"id": "Directory_90000000-0000-4000-8000-000100011110_8F3D9_71022874",
"category": "Policy",
"correlationId": "90000000-0000-4000-8000-000100011110",
"result": "success",
"resultReason": "",
"activityDisplayName": "Update conditional access policy",
"activityDateTime": "2026-04-15T18:14:55.4128088Z",
"loggedByService": "Conditional Access",
"operationType": "Update",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "60000000-0000-4000-8000-000011101100",
"displayName": "CA001 - Require MFA for all admins",
"type": "Policy",
"userPrincipalName": null,
"groupType": null,
"modifiedProperties": [
{
"displayName": "ConditionalAccessPolicy",
"oldValue": "{\"id\":\"60000000-0000-4000-8000-000011101100\",\"displayName\":\"CA001 - Require MFA for all admins\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeRoles\":[\"62e90394-69f5-4237-9190-012177145e10\",\"e8611ab8-c189-46e8-94e1-60213ab1f814\",\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\",\"fe930be7-5e62-47db-91af-98c3a49a38b1\"],\"excludeUsers\":[\"30000000-0000-4000-8000-000000000001\"]},\"applications\":{\"includeApplications\":[\"All\"]}},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"]}}",
"newValue": "{\"id\":\"60000000-0000-4000-8000-000011101100\",\"displayName\":\"CA001 - Require MFA for all admins\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeRoles\":[\"62e90394-69f5-4237-9190-012177145e10\",\"e8611ab8-c189-46e8-94e1-60213ab1f814\",\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\",\"fe930be7-5e62-47db-91af-98c3a49a38b1\"],\"excludeUsers\":[\"30000000-0000-4000-8000-000000000001\",\"30000000-0000-4000-8000-001010011010\"]},\"applications\":{\"includeApplications\":[\"All\"]}},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"]}}"
}
]
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
}
]
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...