Skip to main content

Articles in this section

See more
Print

CTD-000044: Privileged Microsoft Entra account not covered by MFA policy

Cayosoft Guardian - CTD-000044: Privileged Microsoft Entra account not covered by MFA policy

Overview

CTD-000044 identifies privileged Microsoft Entra ID accounts that are not protected by enforced multi-factor authentication (MFA).

Accounts that do not use MFA are vulnerable to modern identity-based attacks. Password-only authentication provides insufficient protection against threats such as phishing, password spraying, and credential reuse.

Privileged accounts without enforced MFA pose a high risk. If compromised, a threat actor may gain elevated access, establish persistence, and cause significant impact within the environment.

Microsoft reports that MFA blocks more than 99.9% of account compromise attempts by requiring an additional verification step during sign-in.

What Cayosoft Guardian detects

Cayosoft Guardian raises CTD-000044 when:

  • A user has one or more privileged Microsoft Entra ID roles.
  • MFA is not enforced for the account.

This can occur when MFA is not enabled or when the account is not covered by an MFA-enforcing control.

NOTE: This threat evaluates MFA enforcement, not just MFA registration.

Evidence included in the alert

The alert details may include:

  • User Principal Name (UPN)
  • MFA enforcement status
  • Conditional Access coverage status
  • Remediation eligibility, when automated remediation is enabled

This information helps explain why MFA is not effectively enforced for the privileged account.

Threat configuration settings

The following settings are available under the Settings tab for CTD-000044 and control how detection and remediation are performed.

Break glass accounts (UPN)

Use this setting to define emergency or break glass accounts that should be excluded from detection and remediation.

  • Specify one or more User Principal Names (UPNs) or masks, for example: ADToAADSyncServiceAccount*
  • Accounts listed here:
    • Are excluded from automated remediation.
    • Are not modified by Conditional Access policies created by Cayosoft Guardian.

IMPORTANT: Always configure break glass accounts to prevent accidental lockout of emergency access.

Find roles by name or mask

This setting allows you to explicitly define which Microsoft Entra roles should be evaluated by name, including custom roles that are not defined by Microsoft.

You can specify:

  • Built-in Microsoft Entra role names, for example, Global Administrator.
  • Custom Microsoft Entra ID roles created within your tenant.
  • Wildcards or masks to match multiple roles.

When configured, Cayosoft Guardian evaluates roles that match the specified names or masks.

This option is useful when your organization uses custom privileged roles or when additional roles should be treated as privileged for this threat.

Find roles by isPrivileged attribute value

When enabled, Cayosoft Guardian automatically identifies privileged roles using Microsoft’s isPrivileged role attribute.

  • This detects Microsoft-defined roles that are designated as privileged.
  • This option ensures coverage for built-in roles and newly introduced privileged roles.

Combined role evaluation behavior

When both options are enabled, Cayosoft Guardian evaluates the union of roles identified by:

  • The isPrivileged attribute.
  • The roles specified under Find roles by name or mask.

This allows Cayosoft Guardian to detect:

  • Microsoft-defined privileged roles.
  • Custom or tenant-specific roles that are not marked as privileged by Microsoft.

NOTE: When both options are enabled, roles are combined, not overridden. Any role identified by either method is included in evaluation.

Enable automated remediation

This setting controls whether Cayosoft Guardian is allowed to automatically remediate CTD-000044.

  • Disabled, default:
    • Cayosoft Guardian raises alerts only.
    • No changes are made to Conditional Access.
  • Enabled:
    • Cayosoft Guardian may automatically enforce MFA when prerequisites are met.

IMPORTANT: Automated remediation is performed only if Conditional Access is available and Security Defaults are disabled.

If these conditions are not met, Cayosoft Guardian defaults to alert-only behavior.

CA Policy Name

When automated remediation is enabled, this field defines the name of the Conditional Access policy created by Cayosoft Guardian.

Default policy name:

Cayosoft CTD-000044 – CA Policy for MFA

  • The policy name is deterministic and tied to the threat ID.
  • This simplifies auditing and troubleshooting.

NOTE: Cayosoft Guardian creates a new Conditional Access policy and does not modify existing policies.

Automated remediation

Cayosoft Guardian supports optional automated remediation for this threat.

When enabled and supported, Cayosoft Guardian can automatically create and enable a Conditional Access policy to enforce MFA for the affected privileged account.

Prerequisites for automated remediation

Automated remediation is performed only if all of the following are true:

  • Automated remediation is explicitly enabled.
  • Conditional Access is available and in use.
  • Security Defaults are disabled.

IMPORTANT: Automated remediation requires elevated permissions. The account used by Cayosoft Guardian must have sufficient permissions to create and enable Conditional Access policies in Microsoft Entra ID.

IMPORTANT: Conditional Access and Security Defaults are mutually exclusive. Cayosoft Guardian will never create a Conditional Access policy if Security Defaults are enabled.

If these conditions are not met, Cayosoft Guardian raises alerts only and provides manual remediation guidance.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Comments

0 comments

Please sign in to leave a comment.