[BUG] Not All New MFA Methods Detected #3867
Description
Describe the bug
I noticed the detection O365 New MFA Method Registered did not increase my risk score after registering a new mobile authenticator app. Upon investigation I discovered the current search only detects changes to the StrongAuthenticationMethod field, while my new app was registered in the StrongAuthenticationPhoneAppDetail field.
Expected behavior
I expect the search to discover and increase risk for all newly registered MFA methods.
App Version:
- ESCU: v5.19.0
Additional context
Sample Event
{
"CreationTime": "2026-01-16T12:00:00",
"Id": "861d8ef8-c283-418c-9e55-4c111c3599a0",
"Operation": "Update user.",
"OrganizationId": "9a02d81c-f0e0-4598-be8a-56895708611d",
"RecordType": 8,
"ResultStatus": "Success",
"UserKey": "Not Available",
"UserType": 4,
"Version": 1,
"Workload": "AzureActiveDirectory",
"ObjectId": "John.Doe@example.org",
"UserId": "ServicePrincipal_bf3dc3a7-50d5-4a75-a5a1-3eaecb50617d",
"AzureActiveDirectoryEventType": 1,
"ExtendedProperties": [
{
"Name": "additionalDetails",
"Value": "{\"UserType\":\"Member\"}"
},
{
"Name": "extendedAuditEventCategory",
"Value": "User"
}
],
"ModifiedProperties": [
{
"Name": "StrongAuthenticationPhoneAppDetail",
"NewValue": "[\r\n {\r\n \"DeviceName\": \"iPhone\",\r\n \"DeviceToken\": \"apns2-bb8249525d3ae2d290d698c762fc9a680e06bc29f3c745da8b1cd85d4503c946\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.8.40\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"b8b75645-bd44-4993-a950-e6dc61b21a1b\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 2,\r\n \"LastAuthenticatedTimestamp\": \"2026-01-16T12:00:00.0000000Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 00000,\r\n \"SecuredKeyId\": 00000\r\n },\r\n {\r\n \"DeviceName\": \"iPhone 13\",\r\n \"DeviceToken\": \"apns2-ea983ac318a6a4c7a8f2284acca702d505edc698a1b5e4ac9d93e9de85465820\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.2105.3263\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"1ce963c8-69ce-4306-aece-a207c855d240\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2026-01-16T12:00:00.0000000Z\",\r\n \"AuthenticatorFlavor\": null,\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 00000,\r\n \"SecuredKeyId\": 00000\r\n },\r\n {\r\n \"DeviceName\": \"iPhone 16 Pro\",\r\n \"DeviceToken\": \"apns2-4c852672f12869d906f1bbeee155e5e0bec57fdfa7b3e6200c4f3303f9b03691\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.8.40\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"42442de4-aab0-415e-9821-dccb05860308\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 2,\r\n \"LastAuthenticatedTimestamp\": \"2026-01-16T12:00:00.000000Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 00000,\r\n \"SecuredKeyId\": 0\r\n }\r\n]",
"OldValue": "[\r\n {\r\n \"DeviceName\": \"iPhone\",\r\n \"DeviceToken\": \"apns2-bb8249525d3ae2d290d698c762fc9a680e06bc29f3c745da8b1cd85d4503c946\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.8.40\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"b8b75645-bd44-4993-a950-e6dc61b21a1b\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 2,\r\n \"LastAuthenticatedTimestamp\": \"2026-01-16T12:00:00.0000000Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 00000,\r\n \"SecuredKeyId\": 00000\r\n },\r\n {\r\n \"DeviceName\": \"iPhone 13\",\r\n \"DeviceToken\": \"apns2-ea983ac318a6a4c7a8f2284acca702d505edc698a1b5e4ac9d93e9de85465820\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.2105.3263\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"1ce963c8-69ce-4306-aece-a207c855d240\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2026-01-16T12:00:00.0000000Z\",\r\n \"AuthenticatorFlavor\": null,\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 00000,\r\n \"SecuredKeyId\": 00000\r\n }\r\n]"
},
{
"Name": "Included Updated Properties",
"NewValue": "StrongAuthenticationPhoneAppDetail",
"OldValue": ""
},
{
"Name": "TargetId.UserType",
"NewValue": "Member",
"OldValue": ""
}
],
"Actor": [
{
"ID": "Azure MFA StrongAuthenticationService",
"Type": 1
},
{
"ID": "b4dfc487-a747-4a11-951c-5565c565b996",
"Type": 2
},
{
"ID": "ServicePrincipal_bf3dc3a7-50d5-4a75-a5a1-3eaecb50617d",
"Type": 2
},
{
"ID": "bf3dc3a7-50d5-4a75-a5a1-3eaecb50617d",
"Type": 2
},
{
"ID": "ServicePrincipal",
"Type": 2
}
],
"ActorContextId": "63e2c7df-29e8-4cd7-9b0b-98f565381849",
"InterSystemsId": "ca89301a-6906-458d-aa70-baaa1d9cc906",
"IntraSystemId": "cc7d00a1-5f22-4142-a158-0b2cf84176f4",
"SupportTicketId": "",
"Target": [
{
"ID": "User_a58c7bc2-f79e-4f1e-bf0f-b764de3fbdfc",
"Type": 2
},
{
"ID": "a58c7bc2-f79e-4f1e-bf0f-b764de3fbdfc",
"Type": 2
},
{
"ID": "User",
"Type": 2
},
{
"ID": "John.Doe@example.org",
"Type": 5
},
{
"ID": "5F53182DF476D92C",
"Type": 3
}
],
"TargetContextId": "8a4f50fa-173c-46ab-b4e6-f4731b8a26bb"
}