T1556.009: Conditional Access Policies

This technique matters because conditional access is often the control that turns a stolen password into a blocked login. If an adversary can weaken those policies in an identity provider or cloud IAM system, they may preserve access, bypass MFA or location/device restrictions, and make compromised accounts harder to contain.

Executive priority

Treat conditional access and IAM condition changes as high-value security governance events, not routine admin noise. Leaders should ask who can change these policies, whether changes require approval and logging, and whether incident response can quickly prove what changed across identity providers and IaaS environments. This is especially relevant to resilience, audit evidence, and identity/cloud risk because the technique directly affects persistence, credential access, and defense impairment.

Technical view

ATT&CK places T1556.009 under Modify Authentication Process and maps it to IaaS and Identity Provider platforms with defense-impairment, persistence, and credential-access tactics. SOC and IR teams should validate detection of create, update, delete, enable, or disable actions affecting conditional access policies and IAM policy condition attributes. Priority review areas include added trusted IP ranges, removed MFA requirements, changed device enrollment or posture requirements, modified risk-based sign-in controls, and cloud IAM conditions that alter source IP, date, resource, or region constraints. MITRE does not provide official detection text, but the relationship to DET0030 supports a detection strategy focused on conditional access policy modification in identity and cloud platforms.

Likely telemetry

Identity provider audit logs for conditional access policy creation, modification, deletion, enablement, and disablement
Cloud IAM/control-plane logs showing policy condition changes in AWS or GCP-style IAM policies
Administrative activity logs for accounts or roles authorized to modify authentication and access policies
Sign-in and authentication logs showing MFA, device enrollment/posture, IP-based, risk-based, or region-based access decisions
Change-management records or approval evidence for conditional access and IAM policy updates

Detection direction

Alert on conditional access or IAM condition changes made by newly privileged, unusual, or unexpected administrative accounts where local baselines support that determination.
Tune for high-risk policy outcomes: MFA requirement removal, expansion of trusted IP ranges, relaxed device requirements, changes allowing additional regions, or broadening access to resources.
Correlate policy changes with subsequent sign-ins that would previously have been denied by MFA, device, IP, risk, resource, or region constraints.
Account for false positives from planned identity, cloud, or access-management projects by integrating approved change windows and ticket references.
Close blind spots by confirming audit logging is enabled and retained for each relevant identity provider and IaaS environment; ATT&CK does not provide built-in detection logic for this object.

Mitigation priorities

Apply User Account Management principles: restrict who can modify conditional access and IAM policies using least privilege.
Require controlled administrative workflows for policy changes, including approval, review, and documented business justification.
Regularly review conditional access and IAM condition policies for overly broad trusted IP ranges, missing MFA requirements, unsupported or unused region access, and weakened device or risk checks.
Monitor and periodically recertify privileged accounts that can alter authentication or access policy behavior.
Ensure incident response playbooks include rapid review and rollback of suspicious conditional access or IAM condition changes.

Analyst notes and limits

Relationship context links this technique to mitigation M1018 User Account Management and detection strategy DET0030. ATT&CK also lists use by Scattered Spider and Storm-0501; this should be treated as ATT&CK relationship context, not as proof of current activity in any specific environment. Vendor examples in the official description include Entra ID, Okta, JumpCloud, AWS, and GCP, but coverage should be validated against the organization’s actual identity and cloud stack.

Official ATT&CK detection guidance is not provided for this technique. The practical detection and mitigation direction depends on local identity provider configuration, cloud IAM logging, administrative role design, change-management maturity, and log retention. This take does not assert existing detection coverage or active exploitation.

Official MITRE ATT&CK definition

Conditional Access Policies

Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.

For example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.[1][2][3] In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.[4][5] These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required.

By modifying conditional access policies, such as adding additional trusted IP ranges, removing Multi-Factor Authentication requirements, or allowing additional Unused/Unsupported Cloud Regions, adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1556	Modify Authentication Process	This object subtechnique of Modify Authentication Process.

Associated objects

Groups, software, and campaigns

G1015: Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]

G1053: Storm-0501

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G1015: Scattered Spider Enterprise mitigates · Mitigation M1018: User Account Management Enterprise subtechnique of · Technique T1556: Modify Authentication Process Enterprise uses · Group G1053: Storm-0501 Enterprise detects · Detection Strategy DET0030: Detect Conditional Access Policy Modification in Identity and Cloud Platforms Enterprise

Mitigations

Mitigation direction

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Jan 2, 2024, 13:43 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 6880e2e902b53c89...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`6880e2e902b5…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft Conditional Access

Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.
Open source URL
[2]
JumpCloud Conditional Access Policies

JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.
Open source URL
[3]
Okta Conditional Access Policies

Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.
Open source URL
[4]
AWS IAM Conditions

AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.
Open source URL
[5]
GCP IAM Conditions

Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.
Open source URL
[6]
mitre-attack T1556.009
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams