Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.
For example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.[1][2][3] In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain condition attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.[4][5] These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required.
By modifying conditional access policies, such as adding additional trusted IP ranges, removing Multi-Factor Authentication requirements, or allowing additional Unused/Unsupported Cloud Regions, adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.
| ID | Name | Description |
|---|---|---|
| G1015 | Scattered Spider |
Scattered Spider has added additional trusted locations to Azure AD conditional access policies. [6] |
| G1053 | Storm-0501 |
Storm-0501 has registered their own MFA method, and leveraged a victim hybrid joined server to circumvent Conditional Access Policies.[7] |
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management |
Limit permissions to modify conditional access policies to only those required. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0030 | Detect Conditional Access Policy Modification in Identity and Cloud Platforms | AN0087 |
Detects modifications to IAM conditions or policies that alter authentication behavior, such as adding permissive trusted IPs, removing MFA requirements, or changing regional access restrictions. Behavioral detection focuses on anomalous policy updates tied to privileged accounts and subsequent suspicious logon activity from previously blocked regions or devices. |
| AN0088 |
Detects suspicious updates to conditional access or MFA enforcement policies in identity providers such as Entra ID, Okta, or JumpCloud. Focus is on removal of policy blocks, addition of broad exclusions, or registration of adversary-controlled MFA methods, followed by anomalous login activity that takes advantage of the modified policies. |