Hello-

I had a user MS credentials used to login remotely.   Account is stable now but as I go through logs for the time, I believe the user gave up their password.  We  fond in the user audit log a modified permission.  

Does anyone know what change was made here and why in the modified properties?  See screen shot of Entra user audit log.

Update: I believe this is the MS authenticator app.  Problem is we did not have the authenticator app enabled for mfa.  Now this user has the authenticator enabled.  

New question how did a hacker trick my user into changing his MFA and how did Microsoft let this happen?  

Thank you in advance for any help!