Incident ReportsIR

IR-2026-007

MED

Mobile — Rooted Android Device on Corporate MDM

FILED:Jan 2026

TAXONOMY:T1562.001

Complexity:Standard

⏱ 32m containment

~5m read

TRUE POSITIVE — POLICY VIOLATION / DEVICE INTEGRITY FAILURE

Defender for Endpoint's Mobile Threat Defence detected a BYOD personal Android device registered to the corporate Entra ID tenant had been rooted. The device was enrolled exclusively for Microsoft Teams access. Root cause confirmed as sideloaded software. The IT team severed corporate network access and the user performed a factory reset. Classified as a policy violation, not malware-induced. Detection to network removal in 32 minutes — fastest response in this portfolio.

MDMAndroidIntuneMobileEndpoint

Outcome

▸Device removed from corporate network — risk window closed within 32 minutes

▸Factory reset completed — root modifications eradicated

▸Root cause confirmed: policy violation (sideloaded software) — no broader threat hunt required

▸Fastest triage-to-containment in this portfolio

Background & Context

Android rooting is the process of obtaining superuser (root) permissions on an Android device, typically achieved by exploiting firmware vulnerabilities or using specialist unlocking tools (Magisk, SuperSU, KingRoot). In a corporate MDM context, rooting is a critical security concern: root access bypasses the Android application sandbox, removes the separation between managed and personal data spaces, can disable MDM containerisation, and enables extraction of authentication tokens stored in Android's secure Keystore.

Defender for Endpoint MTD detects rooted devices via device health attestation signals — specifically the Android Play Integrity API, which provides hardware-attested OS integrity verification. When rooting is detected, Intune marks the device as non-compliant. Under a correctly configured Conditional Access policy, this would automatically revoke corporate resource access at the moment of detection — without requiring analyst escalation.

The BYOD context is important: this was not a corporately managed device. It was a personal phone registered to the Entra tenant solely to enable Microsoft Teams access. BYOD devices registered for corporate resource access are within the MDM monitoring perimeter and subject to the same integrity requirements as managed endpoints — a boundary that is not always clearly communicated to users.

Triage Thought Process

01Assess the detection signal. Rooting was detected via Play Integrity API — hardware-attested OS integrity check. Reliable signal, not a software heuristic.

02Immediate escalation. A rooted device on corporate MDM is an automatic escalation — the question is not whether to escalate but what information to include.

03Determine if the device was network-connected at detection. Yes — a live window of potential corporate data access existed until network removal.

04Check for credential or data access indicators. Review AADUserRiskEventsTable and CloudAppEvents for corporate data access before detection.

05Root cause matters critically. Intentional user rooting (policy violation) vs malware-induced root escalation (security incident) require completely different follow-on responses.

06Identify the Conditional Access gap. If device compliance blocking was configured, network access would have been revoked automatically at the moment Intune flagged non-compliance.

07Factory reset before re-enrolment. A full factory reset is required — not just unenrolment and re-enrolment.

Decision

Immediate escalation — device removed from network. Root cause confirmed as sideloaded software (policy violation). No broader threat hunt required. CA gap identified and documented.

Incident Timeline

30 Jan, ~10:33

Defender for Endpoint MTD detects rooted device — BYOD Android registered for Teams access

30 Jan, ~10:33

Alert: Device is rooted — Microsoft Sentinel

30 Jan, ~10:40

Analyst begins triage — device enrichment reviewed, compliance state confirmed

30 Jan, ~10:43

Internal note drafted and escalation prepared

30 Jan, ~10:44

Customer notification sent: rooted device detected, risks explained, immediate action requested

30 Jan, 11:05

Client confirms: device dealt with, removed from corporate network — user performing factory reset

30 Jan, ~11:10

Ticket closed — device removed, factory reset confirmed, root cause investigation recommended

Technical Analysis

The affected device was a personal (BYOD) Android phone registered to the corporate Entra ID tenant — not a fully managed corporate asset. It was AAD/Entra registered solely to enable Microsoft Teams access. Rooting detection was triggered by a health attestation signal: specifically, an OS integrity state inconsistent with the device's enrolled baseline as reported by the Android Play Integrity API.

A rooted device in a Microsoft 365 environment presents the following specific risks: Intune Company Portal and all managed applications lose their policy enforcement guarantees, as app protection policies rely on the Android OS security model that root access bypasses; authentication tokens stored in Android's Keystore can potentially be extracted using root-privilege tooling; corporate email content, SharePoint documents, and OneDrive files accessible from the device become accessible outside the managed container.

The device was connected to the corporate network at the time of detection. Network removal by the client's IT team eliminated the risk of corporate data being accessed or exfiltrated via the compromised endpoint during the post-detection window.

Root cause was confirmed following the client's internal investigation: the rooting was triggered by sideloaded software installed on the personal Android device. This closes the incident as a policy violation rather than a malware-induced root escalation — an important classification distinction that determines whether a broader threat hunt is required. Since this was deliberate user action (sideloaded software), no broader hunt was warranted; the follow-on action shifts to BYOD policy enforcement.

No risky events were present in the AADUserRiskEventsTable for the associated user account, suggesting the rooting had not been leveraged for credential or access abuse at the time of detection.

Environment

▸Microsoft Defender for Endpoint (Mobile Threat Defence)

▸Microsoft Intune / Microsoft Sentinel

▸Android / Play Integrity API (health attestation)

Signals

▸Defender MTD: rooted device detected — OS integrity state inconsistent with enrolled baseline

▸Play Integrity API / health attestation failure

▸BYOD personal device registered for Teams access — not a fully managed corporate asset

▸Device connected to corporate network at time of detection

What I Checked

▸Detection signal assessed: hardware-attested Play Integrity API — reliable signal, not a software heuristic

▸Device compliance state confirmed: Non-compliant (rooted) in Intune

▸Corporate data access reviewed via CloudAppEvents — device enrolled solely for Teams access

▸AADUserRiskEventsTable: no risky events for the associated user account

▸Root cause confirmed post-incident: sideloaded software on BYOD device — policy violation, not malware-induced

Actions Taken

▸Customer notification sent immediately — device removed from corporate network within 32 minutes of detection

▸Client IT severed device's corporate network access

▸User performed factory reset of personal device — root modifications removed

▸Recommended Conditional Access device compliance policy to automate future containment

▸Recommended BYOD policy review: devices Entra-registered for Teams access subject to same integrity requirements

Indicators of Compromise

Type	Indicator	Notes
Device	[REDACTED]_android	BYOD personal Android — Entra registered for Teams access; rooted OS detected via Play Integrity API
MDM Compliance	Non-compliant (rooted)	Intune compliance policy violation — device integrity failure
Network Status	Connected at detection time	Risk of corporate data access existed until network removal confirmed
Root Cause	Sideloaded software (confirmed)	BYOD personal device — policy violation, not malware-induced root escalation

MITRE ATT&CK Mapping

Tactic	Technique	ID	Observed
Defense Evasion	Subvert Trust Controls: Disable / Modify Tools	T1562.001	Rooting disables MDM enforcement, app sandbox, and mobile security controls
Privilege Escalation	Exploitation for Privilege Escalation	T1068	Root access = OS-level privilege escalation on Android device
Credential Access	Steal Application Access Token	T1528	Root access enables extraction of authentication tokens from Android Keystore (risk)
Exfiltration (Risk)	Data from Local System	T1005	Corporate data in managed apps accessible at root level

Detection Logic (KQL)

// Confirm device compliance state and rooting signal
DeviceInfo
| where DeviceName contains "[REDACTED_ANDROID]"
| project Timestamp, DeviceName, OSPlatform, ComplianceState, IsAzureADJoined, ManagedBy, OnboardingStatus

// Check for corporate data access before network removal
CloudAppEvents
| where AccountObjectId == "[USER_OBJECT_ID]"
| where DeviceName contains "[REDACTED_ANDROID]"
| where Timestamp > ago(24h)
| project Timestamp, ActionType, ObjectName, Application, AccountDisplayName

// Verify no AAD identity risk events
AADUserRiskEvents
| where UserPrincipalName == "[USER_UPN]"
| where TimeGenerated > ago(7d)
| project TimeGenerated, RiskEventType, RiskLevel, IpAddress, AdditionalInfo

Analyst NotesMuhammad Fezzan

Fastest triage-to-response cycle in this portfolio — detection to client confirmation was 32 minutes. The BYOD context is the most important clarification: this was a personal phone registered for Teams access, not a fully managed corporate device.

Root cause confirmed as sideloaded software — closes as policy violation. That distinction closes the threat hunt question entirely.

The most important structural advisory remains the Conditional Access gap: device compliance blocking on Entra-registered BYOD devices would have automated containment the moment Intune flagged non-compliance, without requiring analyst escalation.

Lessons Learned

▸Conditional Access device compliance policies provide automated containment — configure for all enrolled devices including BYOD.

▸Root cause confirmation matters: policy violation vs malware-induced requires different follow-on responses.

▸Factory reset is required before re-enrolment — not just unenrolment.

▸BYOD policy must explicitly cover Entra-registered personal devices: same integrity requirements apply.

▸Communicate rooting consequences clearly to all MDM-enrolled staff.

Recommendations

R1Enforce Conditional Access device compliance policy immediately: configure Intune compliance policies to classify rooted devices as non-compliant, and Conditional Access to block corporate resource access from non-compliant devices. This provides real-time automated containment and removes the analyst escalation dependency.

R2Factory reset and clean re-enrolment: the affected device must be factory-reset to remove root modifications before re-enrolment. Re-enrolment without reset leaves unknown software and modifications in place.

R3Review and enforce BYOD policy for Entra-registered personal devices: users registering personal devices for Teams access should be explicitly informed that device integrity requirements apply, sideloading applications constitutes a policy violation, and non-compliant devices will be immediately disconnected from corporate resources.

R4Communicate rooting consequences to all MDM-enrolled staff: include in onboarding documentation and acceptable use policy that rooting a device with corporate enrollment will result in immediate corporate access revocation and may have disciplinary consequences.

SIG

Case Certification

Muhammad Fezzan

SOC ANALYST

DIGITAL TIMESTAMP

JAN 2026 // REG-007-FS

← All incidentsCase anonymised