Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0088: Analytic 0088

Detects suspicious updates to conditional access or MFA enforcement policies in identity providers such as Entra ID, Okta, or JumpCloud. Focus is on removal of policy blocks, addition of broad exclusions, or registration of adversary-controlled MFA methods, followed by anomalous login activity that takes advantage of the modified policies.

EnterpriseAN0088AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because conditional access and MFA policy changes can quietly turn strong identity controls into weak ones. For executives and security leaders, the business issue is not just whether MFA exists, but whether policy changes are governed, monitored, and correlated with unusual sign-in activity after the change. In identity providers such as Entra ID, Okta, or JumpCloud, broad exclusions or removed blocks can create a path around controls that many business processes depend on.

Executive priority

Prioritize this as an identity governance and resilience validation item. Leaders should ask whether security teams can prove who changed conditional access or MFA enforcement policies, what changed, whether the change was approved, and whether anomalous logins occurred afterward. This is also useful audit evidence for demonstrating that privileged identity policy changes are monitored rather than assumed safe.

Technical view

SOC and detection teams should validate monitoring for identity-provider policy update events involving conditional access, MFA enforcement, policy block removal, broad exclusions, and MFA method registration. Because no official ATT&CK detection logic is provided, local implementation should focus on correlating sensitive policy changes with subsequent anomalous login activity that appears to benefit from the modified policy. IR teams should be prepared to reconstruct policy history, administrator activity, affected users or groups, and post-change authentication events.

Likely telemetry

  • Identity provider administrative audit logs
  • Conditional access policy change logs
  • MFA enforcement and authentication method registration events
  • User, group, and exception list modification records
  • Sign-in and authentication logs after policy changes

Detection direction

  • Alert on removal of conditional access policy blocks or weakening of MFA enforcement where the affected scope is broad or sensitive.
  • Detect additions of broad exclusions to conditional access or MFA policies, especially for privileged users, large groups, or high-value applications.
  • Correlate policy changes with anomalous login activity after the modification, including logins that appear newly permitted by the changed policy.
  • Tune for authorized maintenance by comparing changes against change records, approved administrators, and expected maintenance windows.
  • Account for blind spots where identity-provider audit logging, policy version history, or MFA method registration logs are not retained or centrally collected.

Mitigation priorities

  • Establish formal approval and review for conditional access and MFA policy changes.
  • Limit who can modify identity-provider security policies and review privileged administrator assignments regularly.
  • Retain and centralize identity-provider audit, sign-in, and MFA registration logs for investigation and compliance evidence.
  • Periodically review exclusions and policy gaps to ensure they remain business-justified and narrowly scoped.
  • Test incident response procedures for reconstructing identity policy changes and assessing affected accounts after suspicious modifications.
Analyst notes and limits

The supplied object is a detection analytic for identity-provider policy manipulation and follow-on anomalous login activity. No ATT&CK tactics, relationships, or official detection implementation were supplied, so this take emphasizes validation questions, telemetry classes, and conservative detection engineering direction rather than a specific rule.

This assessment is limited to the official STIX fields, external reference, and description provided. It does not establish active exploitation, attribution, impact, or confirmed detection coverage. Local identity-provider configuration, logging retention, policy structure, and change-management evidence are required to determine actual exposure and monitoring maturity.

Official MITRE ATT&CK definition

Analytic 0088

Detects suspicious updates to conditional access or MFA enforcement policies in identity providers such as Entra ID, Okta, or JumpCloud. Focus is on removal of policy blocks, addition of broad exclusions, or registration of adversary-controlled MFA methods, followed by anomalous login activity that takes advantage of the modified policies.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8b336be5a97d2d09...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8b336be5a97d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0088
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use