Update User Authentication Methods
Azure
Update User Authentication Methods
Event
Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. draco@fantasticlogs.cloud (with newly-elevated User Administrator-equivalent rights) registers an attacker-controlled phone number +1-555-666-1337 as the MFA phone for victim hermione@fantasticlogs.cloud. Hermione’s future MFA prompts now go to the attacker. Maps to T1556.006 (MFA Modification) + T1098 (Account Manipulation).
{ "id": "Directory_90000000-0000-4000-8000-000100100010_C2B41_38912407", "category": "UserManagement", "correlationId": "90000000-0000-4000-8000-000100100010", "result": "success", "resultReason": "", "activityDisplayName": "Admin registered security info", "activityDateTime": "2026-04-15T18:25:42.1148088Z", "loggedByService": "Authentication Methods", "operationType": "Update", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "30000000-0000-4000-8000-000000000001", "displayName": "Hermione Granger", "type": "User", "userPrincipalName": "hermione@fantasticlogs.cloud", "groupType": null, "modifiedProperties": [] } ], "additionalDetails": [ { "key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" }, { "key": "AuthenticationMethod", "value": "Phone" }, { "key": "PhoneNumber", "value": "+15556661337" }, { "key": "PhoneType", "value": "Mobile" } ]}MITRE ATT&CK Mapping
Tactics: Persistence Defense Impairment
Techniques:
- T1556.006 — Multi-Factor Authentication — Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...