Update Conditional Access Policy
Azure
Update Conditional Access Policy
Event
Modifies an existing Conditional Access policy, changing the conditions or controls that govern how users authenticate.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. draco@fantasticlogs.cloud modifies the existing CA policy CA001 — Require MFA for all admins, adding his own user objectId to the users.excludeUsers list. The policy now excludes Draco from the MFA requirement, letting him authenticate to admin endpoints with only password. Classic T1556 (Modify Authentication Process) attack pattern.
{ "id": "Directory_90000000-0000-4000-8000-000100011110_8F3D9_71022874", "category": "Policy", "correlationId": "90000000-0000-4000-8000-000100011110", "result": "success", "resultReason": "", "activityDisplayName": "Update conditional access policy", "activityDateTime": "2026-04-15T18:14:55.4128088Z", "loggedByService": "Conditional Access", "operationType": "Update", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "60000000-0000-4000-8000-000011101100", "displayName": "CA001 - Require MFA for all admins", "type": "Policy", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "ConditionalAccessPolicy", "oldValue": "{\"id\":\"60000000-0000-4000-8000-000011101100\",\"displayName\":\"CA001 - Require MFA for all admins\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeRoles\":[\"62e90394-69f5-4237-9190-012177145e10\",\"e8611ab8-c189-46e8-94e1-60213ab1f814\",\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\",\"fe930be7-5e62-47db-91af-98c3a49a38b1\"],\"excludeUsers\":[\"30000000-0000-4000-8000-000000000001\"]},\"applications\":{\"includeApplications\":[\"All\"]}},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"]}}", "newValue": "{\"id\":\"60000000-0000-4000-8000-000011101100\",\"displayName\":\"CA001 - Require MFA for all admins\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeRoles\":[\"62e90394-69f5-4237-9190-012177145e10\",\"e8611ab8-c189-46e8-94e1-60213ab1f814\",\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\",\"fe930be7-5e62-47db-91af-98c3a49a38b1\"],\"excludeUsers\":[\"30000000-0000-4000-8000-000000000001\",\"30000000-0000-4000-8000-001010011010\"]},\"applications\":{\"includeApplications\":[\"All\"]}},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"]}}" } ] } ], "additionalDetails": [ { "key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" } ]}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...