Feb 28 2020
- last edited on
Jan 14 2022
After looking in the Sign-in view and seeing all the login attempts trying to guess passwords we implemented MFA, so feel a little more secure! However we still get phishing emails and users will be users so passwords are still going to get compromised, now any attempt to login should get blocked by MFA but i would like to be able to detect these and reset the users passwords, so any suggestions on how i would recognise a login attempt where a correct password was entered but it was blocked by MFA?
Feb 28 2020 07:34 PM - edited Feb 28 2020 07:34 PM
Feb 29 2020 06:47 AM
Feb 29 2020 08:32 AM
@Huw Weatherhead you have quite a few options.
from there you will be able to automate rules and receive notifications via email
Azure AD Sentinel
more difficult and you have to learn how to use this tool
O365 ATP with E5 licence
A very informative place to start looking if you have E5 license in addition with E5 you can also configure "safe links"
and of course third party tool like Mimecast :)
Mar 01 2020 04:36 AM
Hi @Huw Weatherhead,
There’s a distinction here between identifying, and alerting on this type of activity. As the previous replies have indicated there are proactive alerting mechanisms in the form of MCAS / Sentinel, but clearly these may carry over a cost to you over more manual ways of identifying this sort of behaviour.
As Vasil suggested, at a base level you will see these reflected in the Azure AD sign-in logs as failed sign-ins (due to lack of MFA, as opposed to an incorrect password which you will be able to distinguish from the log data). Not as elegant as an alert based solution (which I’d recommend), but it will allow you to identify those accounts where passwords have been compromised with a bit of leg work.
Obviously this will be supplemented by Microsoft’s leaked credential detection service assuming you have AAD P1 or P2 :)
Hope this helps,
Mar 02 2020 01:46 AMSolution
You'll see a failure reason of "other" in the sign-in logs, as opposed to "invalid username or password":
The sign-in error code is also key - 500121 above relates to a failed strong authentication in the context of "other":