5 min read
2025-01-01: Azure Active Directory - Conditional Access Policy Modified
AAD - CAP: Conditional Access Policy Modified
Description
This query detects changes to Conditional Access Policies. Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.
KQL
AuditLogs
| where OperationName == "Update conditional access policy"
| extend InitiatingActor = InitiatedBy.user.userPrincipalName
| extend IPAddress = InitiatedBy.user.ipAddress
| extend CAP = TargetResources.[0].displayName
| extend CAPId = TargetResources.[0].id
| extend newValue = TargetResources.[0].modifiedProperties.[0].newValue
| extend oldValue = TargetResources.[0].modifiedProperties.[0].oldValue
| project TimeGenerated, CorrelationId, InitiatingActor, IPAddress, CAP, CAPId, newValue, oldValue
MITRE ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1556.009 | Modify Authentication Process: Conditional Access Policies | Credential Access, Defense Evasion, Presistence |
Analytic Rule
- Yaml: AAD-CAP_CAPModified.yaml
- ARM: AAD-CAP_CAPModified.json
Notes
This query can be helpful in detecting changes and misconfigurations in CAPs early. If the environment has frequent changes to CAPs then there can be some noise, however you can introduce filters in the query logic to remove detections from trusted InitatingUPN entities, or CAPId that are known to change frequently.