AN0817: Analytic 0817
Detects tenant-wide authentication or conditional access changes that weaken hybrid identity enforcement, including disabling AD FS or bypassing hybrid MFA policies.
Analyst context for executives and security teams
This analytic matters because tenant-wide identity or conditional access changes can quickly weaken the controls that protect an organization’s Office Suite environment. For executives and security leaders, the key issue is not a single user setting change; it is whether broad authentication enforcement, hybrid identity, AD FS, or MFA policy posture can be altered without rapid review and response.
Executive priority
Prioritize this as an identity governance and business resilience control point. Leadership should ask whether tenant-wide authentication and conditional access changes are logged, independently reviewed, and tied to change-management evidence. This is especially relevant for audit readiness, incident decision-making, and reducing the risk that a broad identity control change goes unnoticed during an investigation.
Technical view
SOC, identity, and IR teams should validate visibility into Office Suite tenant-level authentication and conditional access configuration changes. The analytic is scoped to detecting changes that weaken hybrid identity enforcement, including disabling AD FS or bypassing hybrid MFA policies. Because no official detection logic is supplied, teams should map their own telemetry and rules to administrative configuration-change events, policy state changes, and hybrid identity enforcement settings.
Likely telemetry
- Office Suite administrative audit logs
- Tenant-wide authentication configuration change records
- Conditional access policy change events
- Hybrid identity / AD FS configuration change evidence
- MFA policy configuration and enforcement state changes
Detection direction
- Validate that tenant-level identity and conditional access changes generate searchable logs with actor, timestamp, target setting, previous value, and new value where available.
- Tune detections to distinguish approved identity architecture changes from unplanned or emergency changes that weaken enforcement.
- Correlate alerts with change-management records to reduce false positives while preserving escalation for unapproved weakening of controls.
- Pay special attention to broad-scope changes affecting hybrid MFA enforcement or AD FS status, since the supplied analytic description explicitly calls out those cases.
- Identify blind spots where policy changes are visible only in administrative portals but not forwarded to the SOC or retained for investigation.
Mitigation priorities
- Require strong administrative governance for tenant-wide authentication and conditional access changes.
- Use change approval and post-change validation for identity policy modifications that affect hybrid enforcement or MFA.
- Restrict and monitor privileged roles capable of modifying tenant authentication and conditional access settings.
- Ensure audit logs for Office Suite identity configuration changes are retained and available to SOC and incident response teams.
- Periodically review conditional access, MFA, and hybrid identity enforcement posture against the intended baseline.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0817, for Office Suite environments. It has no supplied tactics, no relationship context, and no official detection query. The practical value is therefore in validating that the organization can observe and govern broad identity-control changes rather than assuming a ready-made ATT&CK detection exists.
This take is limited to the supplied STIX fields and external reference. No active exploitation, threat actor attribution, specific data source schema, detection logic, or relationship-driven technique context was provided. Local tenant configuration, logging coverage, retention, and change-management evidence are required to determine actual defensive coverage.
Analytic 0817
Detects tenant-wide authentication or conditional access changes that weaken hybrid identity enforcement, including disabling AD FS or bypassing hybrid MFA policies.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c0990fb4cd1a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0817Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.