Multi-Factor Authentication (MFA)

rikvanduijn · ‎03-09-2020

I've been trying to find logging related to the Trusted IP settings that are configured via: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx It appears no logs turn up in the Auditlog relating to changes made. An attacker could whitelist his or her IP to keep access to MFA enabled accounts. Does anyone know if and where logs are created?

Tried to work around the logs by looking for MFA related powershell module but this seems to be missing.

JanoschUlmer · ‎03-09-2020

Not a direct reply to the question (I can only confirm this is not tracked in the audit log), but you could also create an alert for any sign-ins happening with an applied IP exception.

However - if the attacker can get access to the MFA portal, he can do a lot more, he can also disable MFA for users etc.

And if all admins are protected by MFA and the attacker still could get access to the portal, it means he has access to the 2nd factor, so he would need to set IP exclusions anymore.

My understanding is that the old legacy portal is planned to go away at some point in time (no specific ETA announced)- and since adding trusted locations in the Conditional Access management is logged, the problem might also resolve itself over time.

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

rikvanduijn · ‎03-13-2020

Hi Janosch,

Thanks for your anwser, I like the workaround by detecting the sign-ins. This does require a whitelist if you do use whitelists but there is a way to detect. I agree an attacker could do much more once he/she gains access my goal is to detect some persistence techniques within the tenant. Assuming a company will get breached some day.

Multi-Factor Authentication (MFA)

MFA Trusted IPs

Product and Services

Emerging Technologies

Developer & IT

Partner

Industries

Other