T1556.006
Multi-Factor Authentication
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Methods include: excluding users from Azure AD Conditional Access Policies, registering adversary-controlled MFA methods (Scattered Spider), modifying Windows hosts file to redirect MFA server calls to localhost causing fail-open behavior (CISA AA22-074A), using AADInternals Set-AADIntUserMFA to disable MFA, and modifying SLOWPULSE to bypass RADIUS/ACE 2FA. Detection focuses on MFA configuration changes in identity provider audit logs.
Microsoft Sentinel / Defender
kusto
let MFADisableEvents = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in~ (
"Disable StrongAuthentication",
"Update user",
"User registered security info",
"User deleted security info",
"Admin deleted security info",
"Admin disabled MFA",
"Update per-user MFA"
)
| where ResultDescription has_any ("StrongAuthenticationRequirement", "MFA", "authenticator", "phone")
or OperationName has_any ("StrongAuthentication", "MFA")
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, OperationName, ResultDescription, Actor, TargetUser, Result;
let ConditionalAccessModification = AuditLogs
| where TimeGenerated > ago(24h)
| where LoggedByService =~ "Conditional Access"
| where OperationName in~ ("Add conditional access policy", "Update conditional access policy", "Delete conditional access policy")
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend PolicyName = tostring(TargetResources[0].displayName)
| project TimeGenerated, OperationName, PolicyName, Actor, Result;
union MFADisableEvents, ConditionalAccessModification
| sort by TimeGenerated desc critical severity
high confidence
Data Sources
User Account: User Account Modification Active Directory: Active Directory Object Modification Microsoft Entra ID Audit Logs Azure AD Audit Logs
Required Tables
AuditLogs
False Positives
- IT helpdesk disabling MFA for a user who lost their authenticator device — should be documented in a change ticket
- MFA method registration by legitimate users adding a new phone or authenticator app
- Conditional Access Policy updates by authorized administrators during planned policy reviews
- Automated user lifecycle management systems that temporarily suspend MFA during account provisioning
Last updated: 2026-04-13 Research depth: deep
References (6)
- https://attack.mitre.org/techniques/T1556/006/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://www.mandiant.com/media/17826
- https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.006/T1556.006.md
- https://www.microsoft.com/en-us/security/blog/2022/10/25/microsoft-incident-response-tips-for-managing-a-phishing-crisis/
Unlock Pro Content
Get the full detection package for T1556.006 including response playbook, investigation guide, and atomic red team tests.
Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance