1. Home
  2. Techniques
  3. Enterprise
  4. Account Manipulation
  5. Device Registration

Account Manipulation: Device Registration

ID Name
T1098.001 Additional Cloud Credentials
T1098.002 Additional Email Delegate Permissions
T1098.003 Additional Cloud Roles
T1098.004 SSH Authorized Keys
T1098.005 Device Registration
T1098.006 Additional Container Cluster Roles
T1098.007 Additional Local or Domain Groups

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.[1][2] In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. [3]

Similarly, an adversary with existing access to a network may register a device or a virtual machine to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.[4][5][6][7]

Devices registered in Entra ID may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.[8] Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Entra ID tenant by registering a large number of devices.[9]

ID: T1098.005
Sub-technique of:  T1098
Platforms: Identity Provider, Windows
Contributors: Arad Inbar, Fidelis Security; Arun Seelagan, CISA; Joe Gumke, U.S. Bank; Mike Moran; Pawel Partyka, Microsoft 365 Defender
Version: 1.4
Created: 04 March 2022
Last Modified: 22 May 2025
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can register a device to Azure AD.[10]
G0016 APT29

APT29 has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.[3][11]
C0027 C0027

During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[12]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 registered devices in order to enable mailbox syncing via the Set-CASMailbox command.[13]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Require multi-factor authentication to register devices in Entra ID.[8] Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts.[1] When first enrolling MFA, use conditional access policies to restrict device enrollment to trusted locations or devices, and consider using temporary access passes as an initial MFA solution to enroll a device.[3]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0036 Suspicious Device Registration via Entra ID or MFA Platform AN0103

Adversary registers new devices to compromised user accounts to bypass MFA or conditional access policies via Azure Entra ID, Okta, or Duo self-enrollment portals.
AN0104

Adversary registers a Windows device to Entra ID or bypasses conditional access by adding device via Intune registration pipeline using stolen credentials.

References

  1. Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.
  2. Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022.
  3. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  4. Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022.
  5. Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022.
  6. Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.
  7. Ben Nahorney and Jennifer Maynard. (2025, April 10). Observing Atlas Lion (part one): Why take control when you can enroll?. Retrieved May 22, 2025.
  1. Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022.
  2. Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.
  3. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  4. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  5. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  6. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.