Forum Discussion

deepdef's avatar
deepdef
Copper Contributor
Nov 12, 2023

Entra ID - user sign-ins (non-interactive) - failed connection attempts

Hello,
In user sign-ins (non-interactive), we have several failed connection attempts every day.
Authentication requirement Single-factor authentication
Status Failure
Failure reason Error validating credentials due to invalid username or password.
Additional Details The user didn't enter the right credentials.  It's expected to see some number of these errors in your logs due to users making mistakes.
Application Skype for Business Online

 

It looks like brute force or password spray attacks.
I don't understand these attempts. My understanding is that non-interactives are used when replaying tokens or something like this, but not with a login/password. Legacy autentication is blocked.

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi deepdef,

    In instances of user sign-ins (non-interactive), encountering failed connection attempts is common and can stem from various reasons. The reported failure reason, "Error validating credentials due to invalid username or password," indicates that users might make mistakes when entering their credentials, which is expected.

    However, a notable volume of such errors could potentially suggest brute force or password spray attacks. Non-interactive sign-ins are typically associated with token replay, not direct login/password usage.

    If legacy authentication is blocked, and these attempts persist, further investigation is necessary.

    To mitigate such potential attacks, various strategies can be employed:
    Implementing multi-factor authentication, utilizing Conditional Access policies, and blocking specific IP addresses if a pattern is identified are recommended measures. Regularly monitoring logs is crucial to detecting any unusual activity.

    Seeing login failures with non-interactive Sign-ins due to Conditional Access / MFA Policy - Microsoft Q&A

    How to interpret non-interactive user sign-ins? - Microsoft Community Hub

    AADReporting failed non-interactive logins - Microsoft Community Hub


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • deepdef's avatar
      deepdef
      Copper Contributor
      Hello,
      Thank you for your answer.
      MFA doesn't apply because it's legacy authentication.
      I read on the Microsoft site that conditional access rules do not apply to non-interactive authentication. In Activity details/conditionnal access, I have : Not applicable.
      The IP addresses are all different each time.

      In short, I still don't understand where it's going.

      • LeonPavesic's avatar
        LeonPavesic
        Silver Contributor

        Hi deepdef,

        thanks for the update.

        if MFA is not applicable due to legacy authentication, and conditional access rules don't  apply to non-interactive authentication, it is crucial to explore other options.

        Here are some additional suggestions:

        1. Investigate Legacy Authentication Settings:
        Ensure that legacy authentication is completely disabled or restricted to the necessary scenarios. If there are any misconfigurations, it could lead to unexpected authentication attempts.

        2. Check for Service Account Issues:
        Confirm that service accounts associated with Skype for Business Online are properly configured and have not been compromised.

        3. Review Application Permissions:
        Examine the permissions granted to the Skype for Business Online application. Make sure that only necessary permissions are assigned, reducing the potential attack surface.

        4. Azure AD Sign-in Logs:
        Review Azure AD sign-in logs for any additional details or patterns related to these non-interactive sign-ins. Look for commonalities in terms of time, users, or other attributes.

        5. Network and Firewall Logs:
        Explore network and firewall logs to see if there's any unusual traffic associated with these authentication attempts. It could help identify potential sources or patterns.

        6. Microsoft Security Updates:
        Stay informed about Microsoft security updates and patches. Applying the latest updates can help address any known vulnerabilities.

        If, after thorough investigation, the issue persists, reaching out to Microsoft Support with detailed information about your configuration and the problem you're facing would be a good next step.

        Please click Mark as Best Response & Like if my post helped you to solve your issue.
        This will help others to find the correct solution easily. It also closes the item.


        If the post was useful in other ways, please consider giving it Like.


        Kindest regards,


        Leon Pavesic
        (LinkedIn)

Resources