Update User Authentication Methods
Event
Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Entra ID Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Defense Evasion
Techniques:
- T1556.006 — Multi-Factor Authentication — Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authenticati...
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.