title: Conditional Access Policies (T1556.009)
id: df00tech-t1556-009
status: experimental
description: "Adversaries may disable or modify Conditional Access Policies (CAP) to enable persistent access to compromised accounts. Conditional Access applies additional verification based on IP, device enrollment, MFA, and risk-based signals. Attackers modify CAPs by adding trusted IP ranges (Scattered Spider added attacker-controlled IPs), removing MFA requirements, adding user exclusions, or disabling policies. Storm-0501 circumvented CAPs using hybrid-joined servers. In AWS/GCP, IAM condition attributes can be weakened by removing IP or time-of-day restrictions."
references:
  - https://attack.mitre.org/techniques/T1556/009/
  - https://df00tech.com/detections/T1556.009
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized CAP modifications by Identity Administrators during planned policy reviews documented in change management
  - "New trusted IP ranges added for legitimate office locations, datacenter IPs, or VPN egress points"
  - CAP updates during M365 or Entra ID feature rollouts that require policy adjustments
  - User exclusion additions for break-glass accounts or service accounts with documented exemptions
level: critical