Skip to content

Update User Authentication Methods

Azure

Update User Authentication Methods

service: Azure - Microsoft Entra ID
techniques:

Event

Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. draco@fantasticlogs.cloud (with newly-elevated User Administrator-equivalent rights) registers an attacker-controlled phone number +1-555-666-1337 as the MFA phone for victim hermione@fantasticlogs.cloud. Hermione’s future MFA prompts now go to the attacker. Maps to T1556.006 (MFA Modification) + T1098 (Account Manipulation).

{
"id": "Directory_90000000-0000-4000-8000-000100100010_C2B41_38912407",
"category": "UserManagement",
"correlationId": "90000000-0000-4000-8000-000100100010",
"result": "success",
"resultReason": "",
"activityDisplayName": "Admin registered security info",
"activityDateTime": "2026-04-15T18:25:42.1148088Z",
"loggedByService": "Authentication Methods",
"operationType": "Update",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "30000000-0000-4000-8000-000000000001",
"displayName": "Hermione Granger",
"type": "User",
"userPrincipalName": "hermione@fantasticlogs.cloud",
"groupType": null,
"modifiedProperties": []
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
},
{
"key": "AuthenticationMethod",
"value": "Phone"
},
{
"key": "PhoneNumber",
"value": "+15556661337"
},
{
"key": "PhoneType",
"value": "Mobile"
}
]
}

MITRE ATT&CK Mapping

Tactics: Persistence Defense Impairment

Techniques:
  • T1556.006 — Multi-Factor Authentication — Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...