Summary

This detection monitors for changes to the OIDC Discovery URL within the Entra ID Authentication Methods Policy. Malicious actors can abuse this configuration to point Entra ID to an attacker-controlled OpenID Connect (OIDC) Identity Provider (IdP), effectively enabling Bring Your Own IdP (BYOIDP) attacks. By modifying the discovery endpoint, adversaries may bypass multi-factor authentication (MFA) and gain persistent, federated access to Entra ID–protected applications.

Misuse of OIDC federation via discovery URL changes is a high-impact identity-based attack vector. Attackers can establish trust with Entra ID using rogue IdPs, leading to unauthorized SSO access across Microsoft 365, Azure, and other connected services. Because this abuse can happen silently at the configuration layer, detection coverage is essential to catch malicious changes early and prevent federated account takeover.

ref: https://www.youtube.com/watch?v=eKFgOtNpxwU
ref: https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/