Entra ID Conditional Access MFA Bypass with Unusual User, Client and Source ASN

Last updated 17 days ago on 2026-06-22
Created 17 days ago on 2026-06-22

About

Identifies the first observed instance of a Microsoft first-party public client application acquiring a Microsoft Graph token using single-factor (password-only) authentication while an MFA Conditional Access grant control went unenforced, for a given user, application, and source autonomous system (ASN). This pattern is associated with the Conditional Access "resource exclusion" bypass: when a tenant's "all resources" Conditional Access policy contains at least one application exclusion, Entra ID issues tokens for low-privilege baseline scopes (User.Read, openid, profile, email) to any resource, including Microsoft Graph, without enforcing the policy's grant controls (such as MFA). An adversary holding only a stolen password can therefore obtain a Graph token through a trusted first-party public client (for example, Microsoft Bing Search) and enumerate directory objects, even though the tenant requires MFA. Critically, the overall conditional_access_status is never "failure" for this technique (the sign-in is not blocked); it is reported as "success" or "notApplied" depending on what other policies exist in the tenant, so detections that key on Conditional Access failures will not observe it. The reliable fingerprint is in the per-policy results: a policy whose enforced grant control is MFA reports a result of "notApplied" for this sign-in, meaning the MFA requirement was silently not enforced while the single-factor, password-only sign-in still succeeded.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure.signinlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "azure.signinlogs" and event.outcome: "success" and azure.signinlogs.properties.user_type: "Member" and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication" and azure.signinlogs.properties.conditional_access_status: ("success" or "notApplied") and azure.signinlogs.properties.authentication_details.authentication_method: "Password" and azure.signinlogs.properties.applied_conditional_access_policies.enforced_grant_controls: "Mfa" and azure.signinlogs.properties.applied_conditional_access_policies.result: "notApplied" and ( azure.signinlogs.properties.resource_id: "00000003-0000-0000-c000-000000000000" or azure.signinlogs.properties.resource_display_name: "Microsoft Graph" ) and azure.signinlogs.properties.app_owner_tenant_id: "f8cdef31-a31e-4b4a-93e4-5f571e91255a" and azure.signinlogs.properties.user_principal_name: * and azure.signinlogs.properties.app_id: * and source.as.number: *

Install detection rules in Elastic Security

Detect Entra ID Conditional Access MFA Bypass with Unusual User, Client and Source ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).