Apr 11 2020
- last edited on
Jul 24 2020
I see a number of Risky Sign-ins with the code 50173 - Fresh auth token is needed. Have the user re-sign using fresh credentials. And the status is "Failure".
But I noticed the IP address captured is of another country. How to interpret the error code?
Apr 12 2020 07:18 AM
Apr 12 2020 09:13 AM - edited Apr 12 2020 09:25 AM
Apr 13 2020 01:15 AM
If you get an alert from Identity Protection, you can never be 100% sure why it was flagged as risky as Microsoft keeps these methods confidential.
I would suggest you check with the never if he has any clue why this login occurred ( he might be travelling, using roaming data or VPN).
If he doesn't know anything about this login, I would advise you to change his password and expire all his tokens. Even if he has MFA, his account could still be breached.
Apr 13 2020 09:33 AM
Thanks for your advice. I have reset the password.
If the status of the code shows "Failure", is that also indicating that the user account has been compromise? Or someone did successfully gain access to the account prior to this?
Or it could be just an attempt? Thanks.
Apr 13 2020 11:51 AM - edited Apr 13 2020 12:07 PM
Apr 14 2020 01:58 AM
I think is not MFA. This is the failure reason.
I assume someone out there is trying to established the connection. But I wasn't sure whether by "token auth", does it mean somebody has successfully created/login to the account before.
Apr 14 2020 02:38 AM