Forum Discussion

cllee's avatar
cllee
Brass Contributor
Apr 11, 2020

Code - 50173

Hi,

I see a number of Risky Sign-ins with the code 50173 - Fresh auth token is needed. Have the user re-sign using fresh credentials. And the status is "Failure".

But I noticed the IP address captured is of another country. How to interpret the error code?

Thanks.

    • cllee's avatar
      cllee
      Brass Contributor

      Moe_Kinani 

       

      Is there a possibility where someone else has also setup the access to the user account from another country? 


      Thanks.

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        Do you have MFA in place?If yes, It could be false alarm.

        Again I would check Microsoft Cloud App Security for more details about the incident.

        Moe
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor

    cllee 

     

    If you get an alert from Identity Protection, you can never be 100% sure why it was flagged as risky as Microsoft keeps these methods confidential.

     

    I would suggest you check with the never if he has any clue why this login occurred ( he might be travelling, using roaming data or VPN).

     

    If he doesn't know anything about this login, I would advise you to change his password and expire all his tokens. Even if he has MFA, his account could still be breached.

     

    • cllee's avatar
      cllee
      Brass Contributor

      Thijs Lecomte 

       

      Thanks for your advice. I have reset the password.
      If the status of the code shows "Failure", is that also indicating that the user account has been compromise? Or someone did successfully gain access to the account prior to this?

      Or it could be just an attempt? Thanks.


      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        Hi cllee,

        Failure means not ‘compromised’ and didn’t get access. Anytime you mistype your password or someone tries to brute force your account, it gets logged on Azure/ MCAS.

        You can use Security & Compliance Console (Compliance now)->Search->Audit Log Search. This should give you more details about the incident.
        Moe

Resources