Elastic Security Detection Rules

OIDC Discovery URL Changed in Entra ID

Last updated 11 days ago on 2025-07-22
Created 19 days ago on 2025-07-14

About

Detects a change to the OpenID Connect (OIDC) discovery URL in the Entra ID Authentication Methods Policy. This behavior may indicate an attempt to federate Entra ID with an attacker-controlled identity provider, enabling bypass of multi-factor authentication (MFA) and unauthorized access through bring-your-own IdP (BYOIDP) methods.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: PersistenceLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

Modify Authentication Process (T1556)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

azure(opens in a new tab or window)

Query
FROM logs-azure.auditlogs-* metadata _id, _version, _index
| WHERE event.action == "Authentication Methods Policy Update"
| EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.new_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
| EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.old_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")
| DISSECT Esql.azure.auditlogs.properties.target_resources.modified_properties.new_value.replace "%{}discoveryUrl\":\"%{Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new}\"}%{}"
| DISSECT Esql.azure.auditlogs.properties.target_resources.modified_properties.old_value.replace "%{}discoveryUrl\":\"%{Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old}\"}%{}"
| WHERE Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new IS NOT NULL and Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old IS NOT NULL
| WHERE Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new != Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old
| KEEP
    @timestamp,
    event.action,
    event.outcome,
    azure.tenant_id,
    azure.correlation_id,
    azure.auditlogs.properties.activity_datetime,
    azure.auditlogs.properties.operation_type,
    azure.auditlogs.properties.initiated_by.user.userPrincipalName,
    azure.auditlogs.properties.initiated_by.user.displayName,
    azure.auditlogs.properties.initiated_by.user.ipAddress,
    source.geo.city_name,
    source.geo.region_name,
    source.geo.country_name,
    Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new,
    Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old

Install detection rules in Elastic Security

Detect OIDC Discovery URL Changed in Entra ID in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).