AN0756: Analytic 0756
Adversary modifies tenant policy through changes to federation configuration, trust settings, or identity provider additions in Microsoft 365/AzureAD via Portal, PowerShell, or Graph API. Includes setting authentication to federated or updating federated domains.
Analyst context for executives and security teams
This analytic concerns changes to Microsoft 365/Azure AD tenant identity policy, including federation configuration, trust settings, identity provider additions, and federated domain updates. For leaders, the significance is control of authentication trust: unauthorized or poorly governed changes can affect who can access business systems and how identity assertions are trusted across the tenant.
Executive priority
Treat this as an identity governance and incident-readiness priority. Executives and security leaders should confirm that tenant federation and identity provider changes are approved, logged, reviewed, and attributable to authorized administrators. The business question is whether the organization can quickly prove who changed authentication trust, when it changed, through which interface, and whether the change was expected.
Technical view
SOC, identity, and IR teams should validate monitoring for tenant policy modifications in Microsoft 365/Azure AD made through Portal, PowerShell, or Graph API. Because the ATT&CK object provides no official detection logic and no tactic mapping, teams should focus on coverage validation: can they observe changes to federation configuration, trust settings, identity provider additions, authentication mode changes to federated, and federated domain updates, and can they tie those events to an actor, admin role, source, timestamp, and change detail?
Likely telemetry
- Microsoft 365/Azure AD audit logs for tenant policy and federation configuration changes
- Identity provider and federation trust configuration change records
- Administrative activity from Portal, PowerShell, and Graph API
- Directory role and privileged administrator activity logs
- Domain authentication configuration change events, including updates to federated domains
Detection direction
- Build or validate detections for changes to federation configuration, trust settings, identity provider additions, and domain authentication being set to federated.
- Correlate change events with approved change tickets, expected administrators, privileged role assignment, and the interface used: Portal, PowerShell, or Graph API.
- Tune for legitimate identity operations such as planned federation migrations or SSO maintenance, but require strong audit evidence for any high-trust authentication change.
- Review blind spots around incomplete audit log retention, lack of Graph API activity visibility, insufficient parsing of federation change details, and failure to monitor privileged identity actions.
Mitigation priorities
- Restrict who can modify tenant federation, trust settings, identity providers, and federated domains using least privilege.
- Require formal change control and peer review for authentication trust changes.
- Ensure audit logging and retention are sufficient for identity incident response and compliance evidence.
- Periodically review configured identity providers, federation settings, trust relationships, and federated domains for alignment with approved architecture.
- Prepare IR procedures for rapid validation and rollback of unauthorized tenant identity policy changes.
Analyst notes and limits
The object is a detection analytic for an Identity Provider platform and specifically references Microsoft 365/AzureAD tenant policy changes via Portal, PowerShell, or Graph API. No relationships, tactic mapping, or official detection logic were supplied, so this take emphasizes governance, telemetry validation, and detection engineering direction rather than a specific rule.
This summary is limited to the supplied ATT&CK fields and external reference. It does not assert active exploitation, adversary attribution, impact, or existing detection coverage. Local tenant configuration, audit licensing, retention, administrative model, and change-management data are required to assess actual risk and coverage.
Analytic 0756
Adversary modifies tenant policy through changes to federation configuration, trust settings, or identity provider additions in Microsoft 365/AzureAD via Portal, PowerShell, or Graph API. Includes setting authentication to federated or updating federated domains.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6d073e9e8eb1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0756Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.