Entra ID named location deleted or modified

Hunt Hypothesis

Attackers may delete or modify named locations in Entra ID to bypass Conditional Access policies and gain unauthorized access to sensitive resources. SOC teams should proactively hunt for this behavior to detect potential sabotage of network access controls and prevent lateral movement or data exfiltration.

KQL Query

let timeframe = 14d;
AuditLogs
| where TimeGenerated >= ago(timeframe)
| where Category =~ "Policy"
| where OperationName in~ (
      "Add named location",
      "Update named location",
      "Delete named location"
  )
| where Result =~ "success"
| extend LocationName = tostring(TargetResources[0].displayName)
| extend LocationId   = tostring(TargetResources[0].id)
| extend ActorUpn = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorApp = tostring(InitiatedBy.app.displayName)
| extend ActorIp  = iff(
      isnotempty(tostring(InitiatedBy.user.ipAddress)),
      tostring(InitiatedBy.user.ipAddress),
      tostring(InitiatedBy.app.ipAddress))
| extend Actor = iff(isnotempty(ActorUpn), ActorUpn, ActorApp)
| extend AccountName      = iff(ActorUpn has "@",
      tostring(split(ActorUpn, "@")[0]), Actor)
| extend AccountUPNSuffix = iff(ActorUpn has "@",
      tostring(split(ActorUpn, "@")[1]), "")
| project
    TimeGenerated,
    OperationName,
    LocationName,
    LocationId,
    Actor,
    AccountName,
    AccountUPNSuffix,
    ActorIp,
    CorrelationId
| sort by TimeGenerated desc

Analytic Rule Definition

id: ef54a29b-136c-42a3-9d37-49fd67e2598b
name: Entra ID named location deleted or modified
description: Identifies deletions or modifications to named locations in Entra ID, which may indicate an attacker weakening Conditional Access enforcement by removing trusted network definitions.
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562.001
query: |
  let timeframe = 14d;
  AuditLogs
  | where TimeGenerated >= ago(timeframe)
  | where Category =~ "Policy"
  | where OperationName in~ (
        "Add named location",
        "Update named location",
        "Delete named location"
    )
  | where Result =~ "success"
  | extend LocationName = tostring(TargetResources[0].displayName)
  | extend LocationId   = tostring(TargetResources[0].id)
  | extend ActorUpn = tostring(InitiatedBy.user.userPrincipalName)
  | extend ActorApp = tostring(InitiatedBy.app.displayName)
  | extend ActorIp  = iff(
        isnotempty(tostring(InitiatedBy.user.ipAddress)),
        tostring(InitiatedBy.user.ipAddress),
        tostring(InitiatedBy.app.ipAddress))
  | extend Actor = iff(isnotempty(ActorUpn), ActorUpn, ActorApp)
  | extend AccountName      = iff(ActorUpn has "@",
        tostring(split(ActorUpn, "@")[0]), Actor)
  | extend AccountUPNSuffix = iff(ActorUpn has "@",
        tostring(split(ActorUpn, "@")[1]), "")
  | project
      TimeGenerated,
      OperationName,
      LocationName,
      LocationId,
      Actor,
      AccountName,
      AccountUPNSuffix,
      ActorIp,
      CorrelationId
  | sort by TimeGenerated desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Actor
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix
        columnName: AccountUPNSuffix
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: ActorIp
version: 1.0.0
metadata:
    source:
        kind: Community
    author:
        name: descambiado
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Protection", "Identity" ]

Required Data Sources

MITRE ATT&CK Context

• Tactic: DefenseEvasion
• Technique: T1562.001 — T1562.001

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/AuditLogs/NamedLocationDeletedOrModified.yaml)

False Positive Guidance

• Scenario: Scheduled job updates location settings
  Description: A system administrator runs a scheduled job to update location settings for compliance with new network policies.
  Filter/Exclusion: location_name NOT IN ('CorpNetwork', 'HQ') or check for event_source = "ScheduledTask"

• Scenario: Admin modifies location for testing Conditional Access policies
  Description: An admin temporarily modifies a location to test how Conditional Access policies behave under different network conditions.
  Filter/Exclusion: user_principal_name = "[email protected]" or event_source = "AzurePortal"

• Scenario: Automated tool syncs location data with on-premises Active Directory
  Description: A synchronization tool (e.g., Azure AD Connect) updates Entra ID locations based on changes in on-premises AD.
  Filter/Exclusion: event_source = "AzureADConnect" or tool_name = "Azure AD Connect"

• Scenario: Location renamed during organizational restructuring
  Description: A company restructures its departments, leading to the renaming of a location to reflect a new business unit.
  Filter/Exclusion: user_principal_name = "[email protected]" or change_type = "rename"

• Scenario: Location modified by a third-party identity management tool
  Description: A third-party tool (e.g., Okta, Ping Identity) updates Entra ID locations as part of a federated identity sync.
  Filter/Exclusion: event_source = "Okta" OR event_source = "PingIdentity" or tool_name = "ThirdPartySyncTool"