AN0544: Analytic 0544
Detects conditional access policy changes, exclusion of accounts from MFA enforcement, or registration of new MFA factors by non-admin or anomalous users.
Analyst context for executives and security teams
This analytic matters because it focuses on identity-provider changes that can weaken or bypass MFA: conditional access edits, account exclusions from MFA, and new MFA factor registrations by unexpected users. For leaders, the value is not just an alert; it is assurance that identity control changes are visible, attributable, and reviewable before they become an incident-response blind spot.
Executive priority
Treat this as a high-value identity control validation item. Executives and security leaders should ask whether MFA and conditional access changes are logged, monitored, approved, and auditable in the identity provider. This supports resilience, compliance evidence, and incident decision-making because unauthorized or poorly governed MFA changes can undermine access-control assumptions across cloud and business applications.
Technical view
For SOC, detection engineering, and IR teams, validate coverage in the Identity Provider for three event categories named by the ATT&CK analytic: conditional access policy changes, exclusion of accounts from MFA enforcement, and registration of new MFA factors by non-admin or anomalous users. Because no official detection logic is supplied, teams should map local IdP event names, actor roles, target accounts, policy identifiers, authentication-method changes, timestamps, source context, and approval/change records into a testable detection design.
Likely telemetry
- Identity provider audit logs for conditional access policy creation, modification, deletion, enablement, or disablement
- MFA enforcement or policy assignment logs showing accounts or groups excluded from MFA requirements
- Authentication method or MFA factor registration/change events
- User and role context showing whether the actor is an administrator, helpdesk user, service account, or standard user
- Change-management or ticketing records for approved identity-policy changes
Detection direction
- Confirm that IdP audit logging is enabled and retained for conditional access, MFA policy, and authentication-method events.
- Create or validate detections for MFA exclusions and conditional access policy changes, with prioritization for changes made by non-admin, unexpected, or unusual actors.
- Tune expected administrative workflows carefully: onboarding, account recovery, helpdesk-assisted MFA reset, and planned policy maintenance can create legitimate events.
- Correlate actor privilege, target account sensitivity, timing, source context, and change approval records before escalating severity.
- Review blind spots where policy changes occur through administrative portals, APIs, automation, or delegated roles that may produce different audit event names.
Mitigation priorities
- Require formal approval and review for conditional access and MFA enforcement changes.
- Limit who can modify MFA requirements, authentication methods, and conditional access policies in the identity provider.
- Regularly audit accounts or groups excluded from MFA enforcement and remove stale or unjustified exceptions.
- Monitor MFA factor registrations and resets, especially for privileged or business-critical accounts.
- Maintain retention and accessibility of IdP audit logs so incident responders can reconstruct who changed what, when, and for which account or policy.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for the Identity Provider platform. It provides a concise description but no official detection implementation, no tactics, and no relationship context. The strongest use is as a control-validation prompt for IAM, SOC, and compliance teams: prove that identity-policy weakening events are captured, reviewed, and actionable.
This take is limited to the official fields supplied. It does not assert active exploitation, specific adversaries, affected vendors, or guaranteed detection coverage. Local IdP products, event schemas, administrative processes, and baseline user behavior are required to turn this analytic into reliable detections.
Analytic 0544
Detects conditional access policy changes, exclusion of accounts from MFA enforcement, or registration of new MFA factors by non-admin or anomalous users.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f718d39330c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0544Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.