Skip to Content

MFA Fatigue Attacks in Microsoft 365: Why Risk-Based Conditional Access Is Non-Negotiable (EID-EXP-008)

4 March 2026 by
Jaspreet Singh

MFA Fatigue Attacks in Microsoft 365: Why Risk-Based Conditional Access Is Non-Negotiable

Multi-Factor Authentication (MFA) is widely deployed across Microsoft 365 tenants.

However, MFA fatigue attacks continue to succeed in environments that rely only on push notifications and lack risk-based enforcement.

In a recent controlled lab experiment (f11.ca – EID-EXP-08), we simulated repeated MFA push attempts to assess how Microsoft’s identity risk engine responds to varying telemetry conditions. (Microsoft Digital Defense Report 2024, 2024)

The findings underscore a key point:

MFA is an authentication control.
Identity Protection is a risk control.
Both are essential.

NOTE: This analysis is based on real tenant observations and controlled experiments documented on f11.ca (Experiment ID: EID-EXP-008).

Hands-on Lab (f11)

Understanding MFA Fatigue

MFA fatigue occurs when:

  1. An attacker obtains valid credentials (phishing, spray, or infostealer).
  2. The attacker repeatedly initiates login attempts.
  3. The victim receives multiple push notifications.
  4. The victim eventually approves one request.

This technique has been used in several high-profile breaches because it exploits human behavior rather than technical vulnerabilities. (MFA Fatigue Attacks: Exploiting Human Error, 2025)Push-based MFA without contextual risk enforcement remains susceptible to social engineering. (Phishing-resistant MFA, 2023)

Lab Architecture Overview

Environment:

  • Microsoft 365 E5 tenant
  • Entra ID P2 licensing
  • Microsoft Authenticator (push)
  • Risk-based Conditional Access policies

Core platform components:

  • Microsoft Entra ID
  • Microsoft Entra Identity Protection
  • Microsoft Entra Conditional Access

Key Technical Findings

1. MFA Repetition Alone Is Not a Strong Risk Signal

Repeated MFA prompts from the same IP and device did not consistently trigger high sign-in risk. (Defend your users from MFA fatigue attacks, 2022)

Identity Protection relies on correlated signals such as:

  • Anonymous IP usage
  • Geo-velocity anomalies
  • Unfamiliar sign-in properties
  • Device fingerprint changes
  • Malware-linked IP reputation (Identity Protection alerts now available in Microsoft 365 Defender, 2022)

Without additional telemetry variation, risk elevation may remain low.

Implication:

If an attacker uses a residential proxy or a previously observed IP range, risk detection may not escalate immediately. (Securing Microsoft 365: Avoiding Multi-factor Authentication Bypass Vulnerabilities, 2024) 

Risk Escalation Is Correlation-Based

When repeated MFA attempts were combined with:

  • VPN-based IP variance
  • TOR exit node
  • Device attribute change

Sign-in risk increased to Medium or High. (Microsoft Entra ID Protection Anonymized IP Risk Detection, 2024)Once the user risk is elevated to High:

  • Conditional Access triggered password reset enforcement
  • Risk state cleared post-remediation (Remediate risks and unblock users - Microsoft Entra ID Protection | Microsoft Learn, 2025)

This highlights the importance of automated remediation workflows linked to risk scoring.

3. Conditional Access Without Risk Conditions Is Incomplete

Many tenants deploy policies such as:

  • Require MFA for all users.
  • Block legacy authentication

But omit:

  • Sign-in risk policies
  • User risk policies

Without these policies, the system does not automatically respond to elevated identity risk. (Sign-in risk-based multifactor authentication - Microsoft Entra ID | Microsoft Learn, 2024)

MFA prompts continue to depend on users rejecting unauthorized requests.

This approach does not align with Zero Trust principles; it is user-dependent security.

Architectural Recommendations for Identity Resilience

For enterprise and mid-market environments, the minimum baseline should consist of the following:

1. Enforce Phishing-Resistant MFA

  • Enable number matching
  • Prefer FIDO2 where possible.

2. Deploy Sign-in Risk Policy

Condition: Medium and above

Action: Require MFA or block

3. Deploy User Risk Policy

Condition: High

Action: Require secure password reset

4. Block Legacy Authentication

Legacy protocols can bypass modern authentication protections. (Block legacy authentication with Conditional Access - Microsoft Entra ID, 2024)

5. Monitor Risk Telemetry Weekly

Review:

  • Risky users
  • Risk detections
  • Anomalous sign-ins
  • Conditional Access evaluation results

Why This Matters for Security Leaders

Security budgets often focus on:

  • EDR
  • Email filtering
  • Network perimeter

But identity is now the primary attack surface. (Vast majority of breaches enabled by preventable gaps, identity weaknesses says Palo Alto Networks, 2026)

If attackers compromise Microsoft 365 identity:

  • Email becomes a weapon.
  • SharePoint becomes a distribution channel.
  • Teams becomes a lateral movement tool.
  • OAuth apps become persistent mechanisms. (Microsoft SharePoint exploited to hack multiple energy firms, 2026)

MFA fatigue reflects a deeper issue:

Organizations are enabling controls without implementing intelligence. (Weinert, 2022)

Strategic Takeaway

Authentication strength alone does not prevent identity compromise.

Effective defense requires:

Authentication

  • Risk scoring
  • Automated policy enforcement
  • Remediation workflows

When properly configured, Entra’s identity risk engine transitions security from reactive to adaptive. (Nechaeva, 2025)

Without it, MFA functions as a notification system rather than a protection system.

Closing Perspective

Security leaders should audit their tenant and ask:

  • Are sign-in risk policies active?
  • Are user risk policies enforced automatically?
  • Is number matching mandatory?
  • Are we monitoring risk telemetry regularly?

If the answer to any of these questions is no, your identity layer may not be as resilient as assumed.

In modern Microsoft environments, identity is the perimeter.

Prioritize it accordingly.

Related Evidence & Guidance

Hands-on Lab (f11)

Business Risk View


Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.


References

(October 31, 2024). Microsoft Digital Defense Report 2024. Microsoft. https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Exec%20Summary_2024%20Microsoft%20Digital%20Defense%20Report.pdf

(2025). MFA Fatigue Attacks: Exploiting Human Error. Material Security. https://material.security/workspace-resources/why-mfa-fatigue-attacks-slip-past-two-factor-security

(2023). Phishing-resistant MFA. Microsoft Learn. https://learn.microsoft.com/en-us/security/zero-trust/sfi/phishing-resistant-mfa

(2022). Defend your users from MFA fatigue attacks. Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677

(October 3, 2022). Identity Protection alerts now available in Microsoft 365 Defender. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/identity-protection-alerts-now-available-in-microsoft-365-defender/3648872

(November 30, 2024). Securing Microsoft 365: Avoiding Multi-factor Authentication Bypass Vulnerabilities. Kroll. https://www.kroll.com/en/insights/publications/cyber/securing-microsoft-365-avoiding-multi-factor-authentication-bypass-vulnerabilities

(2024). Microsoft Entra ID Protection Anonymized IP Risk Detection. Elastic Security Solution. https://www.elastic.co/guide/en/security/current/microsoft-entra-id-protection-anonymized-ip-risk-detection.html

(2025). Remediate risks and unblock users - Microsoft Entra ID Protection | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock

(2024). Sign-in risk-based multifactor authentication - Microsoft Entra ID | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-risk-based-sign-in

(2024). Block legacy authentication with Conditional Access - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

(February 14, 2026). Microsoft SharePoint exploited to hack multiple energy firms. TechRadar. https://www.techradar.com/pro/security/microsoft-sharepoint-exploited-to-hack-multiple-energy-firms

(February 16, 2026). Vast majority of breaches enabled by preventable gaps, identity weaknesses says Palo Alto Networks. Palo Alto Networks. https://www.itpro.com/security/cyber-attacks/vast-majority-breaches-enabled-preventable-gaps-identity-weaknesses-palo-alto-networks

Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677

Nechaeva, I. (August 3, 2025). Microsoft Entra Suite delivers 131% ROI by unifying identity and network access. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2025/08/04/microsoft-entra-suite-delivers-131-roi-by-unifying-identity-and-network-access/

Jaspreet Singh 4 March 2026
Share this post
Tags
Our blogs
Block High-Risk Sign-ins in Microsoft Entra: Why “Detection” Isn’t Security (EID-EXP-007)