Tracking MFA enable/disable events through MS-graph integration
43 views
Skip to first unread message
wazuh
Nov 25, 2025, 9:32:48 AM (6 days ago) Nov 25
to Wazuh | Mailing List
Hi, is there any known way or rules for monitoring the practice of enforcing MFA through Conditional Access instead of MFA per user?
A client has followed the following guide to enable MFA
Turn off per user MFA in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
And now we no longer see the O365 integration events of MFA StrongAuthentication enabling or disabling. (when client did the change we saw hundreds of disabled MFA events and afterwards all the MFA events stopped) rule.id 91539
As it is Entra ID area i was wondering if the azure-logs wodle for ms-graph monitoring would be able to detect changes to conditional access or is there another known way to monitor Conditional Access policies regarding MFA?
Microsoft Graph - Monitoring Microsoft Azure with Wazuh
Regards,
A client has followed the following guide to enable MFA
Turn off per user MFA in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
And now we no longer see the O365 integration events of MFA StrongAuthentication enabling or disabling. (when client did the change we saw hundreds of disabled MFA events and afterwards all the MFA events stopped) rule.id 91539
As it is Entra ID area i was wondering if the azure-logs wodle for ms-graph monitoring would be able to detect changes to conditional access or is there another known way to monitor Conditional Access policies regarding MFA?
Microsoft Graph - Monitoring Microsoft Azure with Wazuh
Regards,
Dom
Federico Gustavo Galland
Nov 26, 2025, 7:59:17 AM (5 days ago) Nov 26
to Wazuh | Mailing List
Hey Dom,
My prior message was not sent for some reason.
I was saying that you should be able to set up the MS Graph integration with directoryAudits, which will give you access to Entra ID policy changes events.
I'm not 100% sure that these events will trigger rules, though, and I don't have an Azure environment to test this on. But if you set up Graph and hand me over the raw logs, I can help you write custom rules here.
Regards,
Fede
wazuh
Nov 28, 2025, 4:22:15 AM (3 days ago) Nov 28
to Wazuh | Mailing List
I have set it up with directoryAudits, however i am struggling to find the specific event. I do not have an environment myself i could get raw logs from, so was hoping there already was some sort of solution for this Microsoft Change as MFA is quite important to track
Federico Gustavo Galland
Nov 28, 2025, 6:08:18 AM (3 days ago) Nov 28
to Wazuh | Mailing List
Dom,
Wazuh allows you to dump every event in raw form (as received from the data source) if you set <logall_json> to "yes" under /var/ossec/etc/ossec.conf and you restart your manager afterwards.
The raw events will then be output to /var/ossec/logs/archives/archives.json
You would now need to trigger a policy change and if the graph integration is properly set up, you should see the event in archives.json.
You can share a sanitized version of that here so we can work out a rule to match it.
Let me know if you find any issues in this process.
Regards,
Fede
wazuh
Nov 28, 2025, 8:34:59 AM (3 days ago) Nov 28
to Wazuh | Mailing List
hi, yes i do know that however i do not control when a client will change mfa configuration through conditional access policy and the client's o365 is managed by another provider so it is pretty much not possible to get them to send some test events on demand. I will try to find a way to find a way to make a rule for this and will write here once i do.
Federico Gustavo Galland
Nov 28, 2025, 9:11:03 AM (3 days ago) Nov 28
to Wazuh | Mailing List
Dom,
I was not able to find a sample event either. Let us know as soon as you get hold of one so we can attest it is triggering a rule.
Regards,
Fede
Reply all
Reply to author
Forward
0 new messages