MFA Trusted IPs
I've been trying to find logging related to the Trusted IP settings that are configured via: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx It appears no logs turn up in the Auditlog relating to changes made. An attacker could whitelist his or her IP to keep access to MFA enabled accounts. Does anyone know if and where logs are created?
Tried to work around the logs by looking for MFA related powershell module but this seems to be missing.
Not a direct reply to the question (I can only confirm this is not tracked in the audit log), but you could also create an alert for any sign-ins happening with an applied IP exception.
However - if the attacker can get access to the MFA portal, he can do a lot more, he can also disable MFA for users etc.
And if all admins are protected by MFA and the attacker still could get access to the portal, it means he has access to the 2nd factor, so he would need to set IP exclusions anymore.
My understanding is that the old legacy portal is planned to go away at some point in time (no specific ETA announced)- and since adding trusted locations in the Conditional Access management is logged, the problem might also resolve itself over time.
Receive consultations via Technical Presales and Deployment Services team
Thanks for your anwser, I like the workaround by detecting the sign-ins. This does require a whitelist if you do use whitelists but there is a way to detect. I agree an attacker could do much more once he/she gains access my goal is to detect some persistence techniques within the tenant. Assuming a company will get breached some day.