Skip to content

DET0036 Suspicious Device Registration via Entra ID or MFA Platform

Item Value
ID DET0036
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1098.005 (Device Registration)

Analytics

Identity Provider

AN0103

Adversary registers new devices to compromised user accounts to bypass MFA or conditional access policies via Azure Entra ID, Okta, or Duo self-enrollment portals.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) azure:audit Operation IN (“Add device”, “Add registered users to device”, “Add registered owner to device”)
Application Log Content (DC0038) ApplicationLog:EntraIDPortal DeviceRegistration events
Active Directory Object Creation (DC0087) azure:audit New device object creation
Mutable Elements
Field Description
ActorUserPrincipalName Define expected admin users to exclude known enrollment behavior
IP Address Scope internal vs. external device enrollment sources
TimeWindow Adjust for expected hours of legitimate self-enrollment

Windows

AN0104

Adversary registers a Windows device to Entra ID or bypasses conditional access by adding device via Intune registration pipeline using stolen credentials.

Log Sources
Data Component Name Channel
Active Directory Object Creation (DC0087) WinEventLog:Security Device Object Creation
Application Log Content (DC0038) ApplicationLog:Intune/MDM Logs Enrollment events (e.g., MDMDeviceRegistration)
Mutable Elements
Field Description
DeviceNamePattern Adjust pattern matching logic for unusual or non-corporate device names
UserContext Correlate with prior logon location or device usage behavior
EnrollmentMethod Distinguish between MDM vs manual onboarding vs automated scripts