Blog Post

Microsoft Entra Blog
3 MIN READ

Users can now check their sign-in history for unusual activity

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Oct 17, 2019

Howdy folks,

 

I’m excited to announce the public preview of Azure AD My Sign-Ins—a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. As we discussed in a previous blog post, our team defends against hundreds of millions of password-based attacks every day.

 

The My Sign-Ins page empowers users to see:

 

  • If anyone is trying to guess their password.
  • If an attacker successfully signed in to the account from a strange location.
  • What apps the attacker tried to access.

Robyn Hicock, who managed this feature, wrote a guest blog post where she dives into the details on this update. You’ll find her blog post below.

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

___________________________________________________________________________________________

Hi everyone!

I’m super excited to share details about the new My Sign-Ins tile found on the users Overview blade:

 

Just click the My Sign-Ins tile to display the location details of how an account was accessed.

 

Here’s an example where I successfully signed in to Office 365 on Windows 10 from Washington:

Successful sign-in

 

Most users should recognize their activity as being normal. However, if a user notices a Successful sign-in from strange location, browser, or operating system, an attacker may have gained access to the account. In this case, the user should change their password immediately and then go to the Security info page to update their security settings.

 

There is a chance of a false positive since the approximate location and map is based on the IP Address (we call this “IP Address Geolocation”). Mobile networks are especially hard to geolocate since they sometimes route traffic through distant locations. For example, if a user signs in on their phone from Washington, the location might show the sign-in coming from California. This is why it helps to check more details about the sign-in, such as the operating system, browser, and app to confirm if it’s actually bad activity.

 

Unsuccessful sign-in

 

An Unsuccessful sign-in, which shows no session activity, means that primary authentication (username/password) failed. This could mean that the user mistyped their password or an attacker was trying to guess the password. If it’s because an attacker was trying to guess the password (but was unsuccessful), then there’s no need for the user to change their password. However, this is a great reason for the user to register for Azure Multi-Factor Authentication (MFA), so even if the hacker eventually guesses the password, it won’t be enough to access the account. Based on our studies, accounts protected by MFA are 99.9 percent less likely to be compromised.

 

An Unsuccessful sign-in, which shows Session activity of “Additional verification failed, invalid code,” means that primary authentication (username/password) succeeded, but MFA failed. If it was an attacker, they correctly guessed the password but were unable to pass the MFA challenge—such as round tripping a code to a phone number or by using the Microsoft Authenticator app. In this case, the user should still change their password (since the attacker got it right) and go to the Security info page to update their security settings.

Filtering sign-ins

 

You can use the Search bar at the top to filter sign-ins by state, country, browser, operating system, app, or account. For example, below I filtered sign-ins in to the My Groups app:

Looking ahead

 

In the future, we’ll add This wasn’t me and This was me buttons. We’ll also highlight unusual activities detected with Identity Protection. This user feedback will help improve the accuracy of our risk detection systems. We do all of this already with the Recent Activity page for consumer Microsoft Accounts.

 

We’d love to hear your feedback and suggestions on the My Sign-Ins Public Preview before it becomes generally available. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Thanks!

Robyn Hicock (@RobynHicock)

Senior Program Manager

Microsoft Identity Security and Protection team

Updated Aug 19, 2021
Version 4.0
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

28 Comments

Sort By
Show More
  • Jan Bakker's avatar
    Jan Bakker
    Copper Contributor
    Oct 18, 2019

    Nice feature!

     

    I'd like to see some integration with Conditional Access if possible. So that you can see if your sign-in hit any CA policy, for example when and why MFA was required. Can be usefull for users to understand what's going on in the back.

     

  • Deepak_ITTechPro's avatar
    Deepak_ITTechPro
    Copper Contributor
    Oct 18, 2019

    That's Great feature for users for their security prospective. This feature will become more use full if their is option to get email notification on failure notification and new device login. 

  • JoeTech's avatar
    JoeTech
    Copper Contributor
    Oct 18, 2019

    robynhicock Users tend to know the ISP  they use but rarely their IP. We’re a CSP for small businesses and this is definitely part of the education plan for them to start watching logins/IP.  I have a cell phone on X carrier.  If it shows up on Y carrier, that may be a red flag.  Typical users we find login in 3 places: work,cell,home.  Anything outside of that raises flags, maybe not a red, but at least a yellow. If we can alert them that these are your work IPs, It’s that much better.  

  • UW_Scott's avatar
    UW_Scott
    Brass Contributor
    Oct 18, 2019

    Any idea where the Administration documentation is to enable the "new profile experience" ?  So far everything I find simply tells me to contact myself to enable;)

  • robynhicock's avatar
    robynhicock
    Former Employee
    Oct 18, 2019

    CryptoLulluby - Thanks! No date yet for GA because it depends on the feedback we get in Public Preview 🙂

     

    JoeTech - Good idea, thanks! We'll consider doing that for collapsed rows. Yes in the future we want to flag and color code unusual activities so users don't have to scroll and hunt for them. We wouldn't flag trusted locations though. Is there a reason you'd want us to?

     

    SSandz_ - Thanks! Yea the time zone is a good idea, I'll add that to our list. Yep we also want to add which authentication method was used. Mac should already be covered right now actually, does it not work for you? Once we add "This wasn't me" it will trigger a compromise recovery flow. The end user will have to prove their identity, change their password, and review their security info. If they finish that flow then the risky sign-in would be dismissed in the admin's Identity Protection report. Yes, SSPR would be needed. Thanks for the questions and feedback 🙂

  • SSandz_'s avatar
    SSandz_
    Copper Contributor
    Oct 17, 2019

    Great additions robynhicock 

     

    [Agree with the above regarding the IP]

     

    - Would be great to have the time zone listed, the location helps but time wise PST, CST etc.. would provide further insight.

    - In reference to the session activity will there be an addition of the authentication method use? SMS or Authenticator App?

    - Will GA cover other devices, such as Mac?

    - The additions of the "wasn't me", will that incorporate a trigger to the IT admins and the account will be locked out? Interested to determine if there are any particular plans to block the account and how it would reference to the risky sign-on in AIP and conditional access.

    - In the section where it states the user should still change their password, will SSPR need to be enabled for the enterprise?

     

  • JoeTech's avatar
    JoeTech
    Copper Contributor
    Oct 17, 2019

    It would be nice if the approximate location was shown in the closed event.  Showing Just "US" or [country] tells me nothing about the login.  If I see that a login event happened in Arizona vs Ohio, there is something wrong with that login.   Knowing that the occasional mobile login may cross borders. 

     

    Lastly, if the IP address is a trusted location for the organization, does it also make sense to flag it or color code it? Is this planned with the AIP tie in?

  • CryptoLulluby's avatar
    CryptoLulluby
    Copper Contributor
    Oct 17, 2019
    This is an awesome feature for Enterprise customers like me! Security is the most important consideration when we decide to partner with a new organization. Any estimate on when this reaches GA? Great job robynhicock!