EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlTTP

Disable Strong Authentication (Microsoft Entra ID)

Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed. Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.

MITRE ATT&CK

T1556
persistencecredential-accessdefense-evasion

Detection Query

#Vendor="microsoft"
| #event.module = azure
| #event.dataset = azure.entraid.audit
| Vendor.activityDisplayName ="Disable Strong Authentication"

Author

Kundan Kumar

Data Sources

Other

Tags

Detection
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Disable Strong Authentication (Microsoft Entra ID)

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1556

# Description of what the query does and its purpose.
description: |
  Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Other

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor="microsoft"
  | #event.module = azure
  | #event.dataset = azure.entraid.audit
  | Vendor.activityDisplayName ="Disable Strong Authentication"

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.