Managed Sentinel – Alert 022

Alert IDMS-A022
Alert NameMFA disabled for a user - Azure AD
DescriptionMulti-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the Azure AD Portal without MFA.
Severity LevelMedium
Threat IndicatorImproper Access
MITRE ATT&CK TacticsCredential Access
False PositivesService Accounts
Log sourcesAzure AD
Recommendations1. Review the Azure policy change and understand the reason why target user is not configured to use MFA.
2. Enable MFA for in scope users
3. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.