AN0103: Analytic 0103
Adversary registers new devices to compromised user accounts to bypass MFA or conditional access policies via Azure Entra ID, Okta, or Duo self-enrollment portals.
Analyst context for executives and security teams
This analytic focuses on a high-value identity risk: a compromised user account registering a new device through an identity provider self-enrollment flow to get around MFA or conditional access controls. For leaders, the key issue is not just account compromise; it is whether identity controls can be silently re-bound to an attacker-controlled device, weakening the organization’s primary access gate for cloud and enterprise applications.
Executive priority
Prioritize this as an identity assurance and business resilience question: can the organization prove when new MFA or trusted devices are enrolled, who approved or initiated the enrollment, and whether risky enrollments are reviewed quickly? This matters for incident response scoping, audit evidence around MFA governance, and budget decisions for identity logging, conditional access hardening, and managed detection coverage across identity providers such as Azure Entra ID, Okta, or Duo where used.
Technical view
SOC and identity teams should validate whether device registration and self-enrollment events are logged from the identity provider platform and correlated to user, device, source network, session, and authentication context. Because the supplied ATT&CK object provides no official detection logic or tactic mapping, teams should treat AN0103 as a detection objective: identify anomalous or unauthorized new device registrations to existing accounts, especially where the registration may alter MFA or conditional access posture. IR playbooks should include review of recent device enrollments when investigating suspected account compromise.
Likely telemetry
- Identity provider device registration or enrollment logs
- MFA enrollment and factor change events
- Conditional access or policy evaluation logs where available
- User authentication logs tied to the enrollment session
- Administrative or self-service identity activity logs
Detection direction
- Confirm that self-service device enrollment events are collected and retained from the relevant identity provider.
- Baseline normal device registration patterns by user population, role, geography, and device type before tuning alerts.
- Review enrollments that occur after unusual authentication, from unfamiliar network locations, or close to other account security changes.
- Account for legitimate events such as employee onboarding, device refreshes, lost-device replacement, and helpdesk-assisted recovery to reduce false positives.
- Validate whether alerts connect the new device registration to the affected account’s MFA and conditional access state, not just to a generic identity event.
Mitigation priorities
- Restrict and govern self-service device enrollment where business requirements allow.
- Require strong re-authentication or approved recovery workflows before adding new MFA or trusted devices.
- Ensure identity provider audit logs for enrollment and MFA changes are enabled, retained, and available to SOC and IR teams.
- Review conditional access and MFA policies for gaps that allow a newly registered device to satisfy access requirements without additional assurance.
- Include device enrollment review in account compromise response procedures.
Analyst notes and limits
AN0103 is a detection analytic object for the Identity Provider platform. The official description specifically references adversary registration of new devices to compromised user accounts through Azure Entra ID, Okta, or Duo self-enrollment portals. No relationships, tactic mapping, labels, aliases, or official detection logic were supplied, so this take frames the object as a defensive validation requirement rather than a ready-to-deploy rule.
This assessment is limited to the supplied STIX fields and external reference. It does not establish active exploitation, actor attribution, prevalence, specific product configuration guidance, or guaranteed detection. Local identity provider configuration, logging coverage, retention, policy design, and incident history are required to determine actual risk and control effectiveness.
Analytic 0103
Adversary registers new devices to compromised user accounts to bypass MFA or conditional access policies via Azure Entra ID, Okta, or Duo self-enrollment portals.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9dd8f56f05a6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0103Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.