AN1260: Analytic 1260

Adversary adds federated identity provider (IdP) or modifies tenant domain authentication from Managed to Federated. Detected via API, PowerShell, or Admin Portal through federation events like `Set domain authentication`, `Add federated identity provider`, or `Update-MsolFederatedDomain`.

EnterpriseAN1260AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic is about detecting high-risk identity administration changes: adding a federated identity provider or changing a tenant domain from managed authentication to federated authentication. For leaders, the business issue is control of the organization’s sign-in trust boundary. If these changes are unauthorized or poorly governed, identity assurance, access control, auditability, and incident containment can be materially weakened.

Executive priority

Treat federation changes as privileged, business-impacting identity events that deserve executive visibility and change-control evidence. Security and IAM leaders should be able to answer: who can change federation settings, how those changes are approved, whether the SOC sees them quickly, and how incident responders would validate legitimacy during an identity incident. This is especially relevant to cloud/identity security readiness and compliance evidence around privileged administrative activity.

Technical view

Validate that the identity provider platform logs administrative actions for federation configuration changes made through API, PowerShell, and the admin portal. The supplied ATT&CK description specifically calls out events such as `Set domain authentication`, `Add federated identity provider`, and `Update-MsolFederatedDomain`. Detection engineering should focus on identifying these events, mapping the actor account, target domain or IdP, source interface, timestamp, and whether the change matches an approved change record. No ATT&CK tactic or related technique context was supplied, so local triage must determine whether the event is benign administration, misconfiguration, or suspicious activity.

Likely telemetry

Identity provider audit logs for federation and domain authentication configuration changes
Administrative portal activity logs
API activity logs for identity configuration changes
PowerShell or administrative command activity where available
Change-management records for approved federation/domain authentication changes

Detection direction

Alert or review on federation events matching `Set domain authentication`, `Add federated identity provider`, and `Update-MsolFederatedDomain` where those event names are available.
Correlate the event to an approved change request, authorized administrator, expected source, and expected tenant/domain scope.
Tune for legitimate identity engineering activity, but avoid suppressing these events entirely because they affect the sign-in trust model.
Check for blind spots across API, PowerShell, and admin portal paths; coverage in only one interface may miss the same administrative outcome through another path.
Ensure event retention and normalization preserve the target domain, federated IdP details, initiating principal, and administrative method.

Mitigation priorities

Restrict who can modify federation and domain authentication settings to a small set of authorized privileged roles.
Require formal approval and documented change control for federation additions or managed-to-federated domain changes.
Continuously audit privileged identity configuration changes and reconcile them against approved changes.
Prepare incident response procedures for rapidly validating and, if necessary, reverting unauthorized federation configuration changes.
Maintain compliance-ready evidence showing monitoring, review, and authorization of high-risk identity provider configuration changes.

Analyst notes and limits

The ATT&CK object is a detection analytic for the Identity Provider platform. It provides a clear behavior to monitor but no official detection logic, tactic mapping, or relationship context. The strongest use of this object is as a control-validation prompt for IAM, SOC, and IR teams: confirm that federation configuration changes are logged, reviewed, and tied to authorized change activity.

This take is limited to the supplied STIX fields and external reference. No active exploitation, adversary attribution, ATT&CK tactic, related technique, or guaranteed detection coverage is provided. Local identity provider logging formats, role models, and change-management processes are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 1260

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 30735ae0a20bc28d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`30735ae0a20b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1260
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use