Skip to content

T1556.006 Multi-Factor Authentication

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.

Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.23

For example, modifying the Windows hosts file (C:\windows\system32\drivers\etc\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a “fail open” policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. 1

Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim’s network environment.1

Item Value
ID T1556.006
Sub-techniques T1556.001, T1556.002, T1556.003, T1556.004, T1556.005, T1556.006, T1556.007, T1556.008
Tactics TA0006, TA0005, TA0003
Platforms Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Version 1.0
Created 31 May 2022
Last Modified 09 February 2023

Procedure Examples

ID Name Description
S0677 AADInternals The AADInternals Set-AADIntUserMFA command can be used to disable MFA for a specified user.


ID Mitigation Description
M1047 Audit Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended.
M1032 Multi-factor Authentication Ensure that MFA and MFA policies and requirements are properly implemented for existing and deactivated or dormant accounts and devices. If possible, consider configuring MFA solutions to “fail closed” rather than grant access in case of serious errors.
M1018 User Account Management Ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.


ID Data Source Data Component
DS0026 Active Directory Active Directory Object Modification
DS0028 Logon Session Logon Session Creation
DS0002 User Account User Account Authentication