Users can now check their sign-in history for unusual activity

Published Oct 17 2019 09:00 AM 48.4K Views

Howdy folks,

 

I’m excited to announce the public preview of Azure AD My Sign-Ins—a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. As we discussed in a previous blog post, our team defends against hundreds of millions of password-based attacks every day.

 

The My Sign-Ins page empowers users to see:

 

  • If anyone is trying to guess their password.
  • If an attacker successfully signed in to the account from a strange location.
  • What apps the attacker tried to access.

Robyn Hicock, who managed this feature, wrote a guest blog post where she dives into the details on this update. You’ll find her blog post below.

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

___________________________________________________________________________________________

Hi everyone!

I’m super excited to share details about the new My Sign-Ins tile found on the users Overview blade:

 

Azure AD My Sign-Ins 1.png

Just click the My Sign-Ins tile to display the location details of how an account was accessed.

 

Here’s an example where I successfully signed in to Office 365 on Windows 10 from Washington:

Azure AD My Sign-Ins 2.png

Successful sign-in

 

Most users should recognize their activity as being normal. However, if a user notices a Successful sign-in from strange location, browser, or operating system, an attacker may have gained access to the account. In this case, the user should change their password immediately and then go to the Security info page to update their security settings.

 

There is a chance of a false positive since the approximate location and map is based on the IP Address (we call this “IP Address Geolocation”). Mobile networks are especially hard to geolocate since they sometimes route traffic through distant locations. For example, if a user signs in on their phone from Washington, the location might show the sign-in coming from California. This is why it helps to check more details about the sign-in, such as the operating system, browser, and app to confirm if it’s actually bad activity.

 

Unsuccessful sign-in

 

An Unsuccessful sign-in, which shows no session activity, means that primary authentication (username/password) failed. This could mean that the user mistyped their password or an attacker was trying to guess the password. If it’s because an attacker was trying to guess the password (but was unsuccessful), then there’s no need for the user to change their password. However, this is a great reason for the user to register for Azure Multi-Factor Authentication (MFA), so even if the hacker eventually guesses the password, it won’t be enough to access the account. Based on our studies, accounts protected by MFA are 99.9 percent less likely to be compromised.

 

Azure AD My Sign-Ins 3.png

An Unsuccessful sign-in, which shows Session activity of “Additional verification failed, invalid code,” means that primary authentication (username/password) succeeded, but MFA failed. If it was an attacker, they correctly guessed the password but were unable to pass the MFA challenge—such as round tripping a code to a phone number or by using the Microsoft Authenticator app. In this case, the user should still change their password (since the attacker got it right) and go to the Security info page to update their security settings.

Azure AD My Sign-Ins 4.png

Filtering sign-ins

 

You can use the Search bar at the top to filter sign-ins by state, country, browser, operating system, app, or account. For example, below I filtered sign-ins in to the My Groups app:

Azure AD My Sign-Ins 5.png

Looking ahead

 

In the future, we’ll add This wasn’t me and This was me buttons. We’ll also highlight unusual activities detected with Identity Protection. This user feedback will help improve the accuracy of our risk detection systems. We do all of this already with the Recent Activity page for consumer Microsoft Accounts.

 

We’d love to hear your feedback and suggestions on the My Sign-Ins Public Preview before it becomes generally available. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Thanks!

Robyn Hicock (@RobynHicock)

Senior Program Manager

Microsoft Identity Security and Protection team

28 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-918258%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918258%22%20slang%3D%22en-US%22%3EThis%20is%20an%20awesome%20feature%20for%20Enterprise%20customers%20like%20me!%20Security%20is%20the%20most%20important%20consideration%20when%20we%20decide%20to%20partner%20with%20a%20new%20organization.%20Any%20estimate%20on%20when%20this%20reaches%20GA%3F%20Great%20job%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426704%22%20target%3D%22_blank%22%3E%40robynhicock%3C%2FA%3E!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918366%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918366%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20nice%20if%20the%20approximate%20location%20was%20shown%20in%20the%20closed%20event.%26nbsp%3B%20Showing%20Just%20%22US%22%20or%20%5Bcountry%5D%20tells%20me%20nothing%20about%20the%20login.%26nbsp%3B%20If%20I%20see%20that%20a%20login%20event%20happened%20in%20Arizona%20vs%20Ohio%2C%20there%20is%20something%20wrong%20with%20that%20login.%26nbsp%3B%26nbsp%3B%20Knowing%20that%20the%20occasional%20mobile%20login%20may%20cross%20borders.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELastly%2C%20if%20the%20IP%20address%20is%20a%20trusted%20location%20for%20the%20organization%2C%20does%20it%20also%20make%20sense%20to%20flag%20it%20or%20color%20code%20it%3F%20Is%20this%20planned%20with%20the%20AIP%20tie%20in%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918401%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918401%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20additions%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426704%22%20target%3D%22_blank%22%3E%40robynhicock%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5BAgree%20with%20the%20above%20regarding%20the%20IP%5D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Would%20be%20great%20to%20have%20the%20time%20zone%20listed%2C%20the%20location%20helps%20but%20time%20wise%20PST%2C%20CST%20etc..%20would%20provide%20further%20insight.%3C%2FP%3E%3CP%3E-%20In%20reference%20to%20the%20session%20activity%20will%20there%20be%20an%20addition%20of%20the%20authentication%20method%20use%3F%20SMS%20or%20Authenticator%20App%3F%3C%2FP%3E%3CP%3E-%20Will%20GA%20cover%20other%20devices%2C%20such%20as%20Mac%3F%3C%2FP%3E%3CP%3E-%20The%20additions%20of%20the%20%22wasn't%20me%22%2C%20will%20that%20incorporate%20a%20trigger%20to%20the%20IT%20admins%20and%20the%20account%20will%20be%20locked%20out%3F%20Interested%20to%20determine%20if%20there%20are%20any%20particular%20plans%20to%20block%20the%20account%20and%20how%20it%20would%20reference%20to%20the%20risky%20sign-on%20in%20AIP%20and%20conditional%20access.%3C%2FP%3E%3CP%3E-%20In%20the%20section%20where%20it%20states%20the%20user%20should%20still%20change%20their%20password%2C%20will%20SSPR%20need%20to%20be%20enabled%20for%20the%20enterprise%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918431%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918431%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428289%22%20target%3D%22_blank%22%3E%40CryptoLulluby%3C%2FA%3E%26nbsp%3B-%20Thanks!%20No%20date%20yet%20for%20GA%20because%20it%20depends%20on%20the%20feedback%20we%20get%20in%20Public%20Preview%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428401%22%20target%3D%22_blank%22%3E%40JoeTech%3C%2FA%3E%26nbsp%3B-%20Good%20idea%2C%20thanks!%20We'll%20consider%20doing%20that%20for%20collapsed%20rows.%20Yes%20in%20the%20future%20we%20want%20to%20flag%20and%20color%20code%20unusual%20activities%20so%20users%20don't%20have%20to%20scroll%20and%20hunt%20for%20them.%20We%20wouldn't%20flag%20trusted%20locations%20though.%20Is%20there%20a%20reason%20you'd%20want%20us%20to%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F335944%22%20target%3D%22_blank%22%3E%40SSandz_%3C%2FA%3E%26nbsp%3B-%20Thanks!%20Yea%20the%20time%20zone%20is%20a%20good%20idea%2C%20I'll%20add%20that%20to%20our%20list.%20Yep%20we%20also%20want%20to%20add%20which%20authentication%20method%20was%20used.%20Mac%20should%20already%20be%20covered%20right%20now%20actually%2C%20does%20it%20not%20work%20for%20you%3F%20Once%20we%20add%20%22This%20wasn't%20me%22%20it%20will%20trigger%20a%20compromise%20recovery%20flow.%20The%20end%20user%20will%20have%20to%20prove%20their%20identity%2C%20change%20their%20password%2C%20and%20review%20their%20security%20info.%20If%20they%20finish%20that%20flow%20then%20the%20risky%20sign-in%20would%20be%20dismissed%20in%20the%20admin's%20Identity%20Protection%20report.%20Yes%2C%20SSPR%20would%20be%20needed.%20Thanks%20for%20the%20questions%20and%20feedback%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918433%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918433%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20idea%20where%20the%20Administration%20documentation%20is%20to%20enable%20the%20%22%3CSPAN%3Enew%20profile%20experience%22%3C%2FSPAN%3E%26nbsp%3B%3F%26nbsp%3B%20So%20far%20everything%20I%20find%20simply%20tells%20me%20to%20contact%20myself%20to%20enable%3B)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918434%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918434%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426704%22%20target%3D%22_blank%22%3E%40robynhicock%3C%2FA%3E%26nbsp%3BUsers%20tend%20to%20know%20the%20ISP%20%26nbsp%3Bthey%20use%20but%20rarely%20their%20IP.%20We%E2%80%99re%20a%20CSP%20for%20small%20businesses%20and%20this%20is%20definitely%20part%20of%20the%20education%20plan%20for%20them%20to%20start%20watching%20logins%2FIP.%20%26nbsp%3BI%20have%20a%20cell%20phone%20on%20X%20carrier.%20%26nbsp%3BIf%20it%20shows%20up%20on%20Y%20carrier%2C%20that%20may%20be%20a%20red%20flag.%20%26nbsp%3BTypical%20users%20we%20find%20login%20in%203%20places%3A%20work%2Ccell%2Chome.%20%26nbsp%3BAnything%20outside%20of%20that%20raises%20flags%2C%20maybe%20not%20a%20red%2C%20but%20at%20least%20a%20yellow.%20If%20we%20can%20alert%20them%20that%20these%20are%20your%20work%20IPs%2C%20It%E2%80%99s%20that%20much%20better.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918467%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918467%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20Great%20feature%20for%20users%20for%20their%20security%20prospective.%20This%20feature%20will%20become%20more%20use%20full%20if%20their%20is%20option%20to%20get%20email%20notification%20on%20failure%20notification%20and%20new%20device%20login.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918557%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918557%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20feature!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20like%20to%20see%20some%20integration%20with%20Conditional%20Access%20if%20possible.%20So%20that%20you%20can%20see%20if%20your%20sign-in%20hit%20any%20CA%20policy%2C%20for%20example%20when%20and%20why%20MFA%20was%20required.%20Can%20be%20usefull%20for%20users%20to%20understand%20what's%20going%20on%20in%20the%20back.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918578%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388856%22%20target%3D%22_blank%22%3E%40UW_Scott%3C%2FA%3E%26nbsp%3Bthe%20Combined%20Registration%20experiences%20admin%20docs%20are%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-registration-mfa-sspr-combine%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-registration-mfa-sspr-combine%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918617%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918617%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20feature%2C%20with%20some%20remarks%3A%3C%2FP%3E%3CUL%3E%3CLI%3Ethe%20label%20%22This%20is%20your%20current%20session.%22%20seems%20to%20be%20placed%20at%20the%20first%20record%20in%20the%20list%2C%20which%20becomes%20wrong%2C%20as%20soon%20as%20you%20use%20the%20filter.%3C%2FLI%3E%3CLI%3EHow%20can%20I%20show%20only%20unsuccessful%20logins%20in%20the%20list%3F%20You%20mentioned%2C%20that%20you%20can%20filter%20by%20state%2C%20but%20I%20am%20not%20sure%20what%20to%20type%20in.%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESuggestion%3A%3C%2FP%3E%3CP%3EI%20know%2C%20that%20geolocation%20is%20often%20inaccurate%2C%20but%20have%20you%20thought%20of%20adding%20a%20whitelist%20or%20blacklist%20for%20regions%2C%20you%20are%20expecting%20logins%20from%2C%20or%20not%20at%20all%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918752%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918752%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388856%22%20target%3D%22_blank%22%3E%40UW_Scott%3C%2FA%3EThe%20new%20profile%20experience%20can%20be%20enabled%20with%20the%20following%20steps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ESign%20into%20the%20%3CSTRONG%3EAzure%20portal%3C%2FSTRONG%3E%20as%20a%20global%20administrator%20or%20user%20administrator.%3C%2FLI%3E%3CLI%3EBrowse%20to%20%3CSTRONG%3EAzure%20Active%20Directory%20%26gt%3B%20User%20settings%20%26gt%3B%20Manage%20settings%3C%2FSTRONG%3E%20%3CSTRONG%3Efor%20access%20panel%20preview%20features%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FLI%3E%3CLI%3EUnder%20%3CSTRONG%3EUsers%20you%20can%20use%20the%20preview%20features%20for%20registering%20and%20managing%20security%20info%20%E2%80%93%20refresh%3C%2FSTRONG%3E%2C%20you%20can%20choose%20to%20enable%20for%20a%20Selected%20group%20of%20users%20or%20for%20All%20users.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EMore%20info%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FCool-enhancements-to-the-Azure-AD-combined-MFA-and-password%2Fba-p%2F354271%2Fpage%2F2%22%20target%3D%22_blank%22%3Epost%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJelle%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918798%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918798%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426704%22%20target%3D%22_blank%22%3E%40robynhicock%3C%2FA%3E%26nbsp%3B%20thanks%20for%20the%20prompt%20responses!%26nbsp%3B%20Will%20check%20on%20the%20Mac%20pieces%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918859%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918859%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388856%22%20target%3D%22_blank%22%3E%40UW_Scott%3C%2FA%3E%26nbsp%3B-%20We're%20fixing%20that%20soon%20actually%2C%20so%20that%20you%20don't%20need%20to%20be%20in%20a%20preview%20to%20see%20the%20new%20My%20Profile%20experience%20%3A)%3C%2Fimg%3E%20But%20for%20now%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90033%22%20target%3D%22_blank%22%3E%40Jelle%20Revyn%3C%2FA%3E%26nbsp%3Bis%20correct%20(thanks)!%20The%20link%20is%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FUsersManagementMenuBlade%2FUserSettings%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FUsersManagementMenuBlade%2FUserSettings%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428401%22%20target%3D%22_blank%22%3E%40JoeTech%3C%2FA%3E%26nbsp%3B-%20Really%20good%20points%2C%20thanks!%20We'll%20consider%20adding%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F423496%22%20target%3D%22_blank%22%3E%40Deepak_ITTechPro%3C%2FA%3E%26nbsp%3B-Thanks%20%3A)%3C%2Fimg%3E%20Yep%20our%20long%20term%20plan%20is%20to%20give%20admins%20the%20option%20to%20set%20up%20alerts.%20That%20way%20end%20users%20will%20be%20directed%20to%20check%20their%20sign-ins%20if%20we%20detect%20anything%20unusual.%20We%20do%20this%20in%20MSA%20today%20by%20alerting%20via%20SMS%2C%20alternate%20email%2C%20and%20the%20Authenticator%20app.%20We%20just%20want%20to%20get%20My%20Sign-Ins%20to%20GA%20first%20before%20we%20do%20the%20notifications%20though.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222759%22%20target%3D%22_blank%22%3E%40Jan%20Bakker%3C%2FA%3E%26nbsp%3B-%20Thanks!%20We've%20considered%20that%20but%20were%20thinking%20CA%20might%20be%20too%20much%20info%20for%20the%20typical%20end%20user.%20However%20all%20those%20details%20are%20available%20in%20the%20admin's%20sign-in%20report.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F333959%22%20target%3D%22_blank%22%3E%40MatJo75%3C%2FA%3E%26nbsp%3B-%20Good%20catch%20about%20the%20%22current%20session%22.%20I'll%20open%20a%20bug%20for%20that.%20Right%20now%20we%20don't%20have%20a%20good%20way%20to%20filter%20by%20just%20the%20unsuccessful%20logins%2C%20but%20before%20GA%20we%20want%20to%20add%20that%20capability.%20The%20search%20bar%20should%20be%20able%20to%20filter%20by%20state%20and%20country%20if%20you%20type%20the%20exact%20words%2C%20like%20%22Washington%22%20or%20%22US%22.%20Let%20me%20know%20if%20that%20doesn't%20work%20for%20you.%20IT%20Admins%20can%20use%20Conditional%20Access%20to%20set%20up%20sign-in%20policies%20based%20on%20location.%20That's%20not%20something%20end%20users%20can%20do%20for%20themselves%2C%20but%20it's%20an%20interesting%20feature%20idea.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918989%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918989%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Robyn%20(%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426704%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3Erobynhicock)%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETested%20Search%3A%3C%2FP%3E%3CP%3EOperating%20System%20-%20Part%20search%20works%3CBR%20%2F%3EBrowser%20-%20Part%20search%20doesn't%20work%20(Actually%20%22Chrome%22%20OK%2C%20not%20%22Google%22)%3CBR%20%2F%3EApproximate%20Location%20-%20Part%20search%20works%3CBR%20%2F%3EIP%20-%20Search%20doesn't%20work%3CBR%20%2F%3EApp%20-%20Part%20search%20works%3CBR%20%2F%3EAccount%20-%20Part%20search%20works%3CBR%20%2F%3Esign-in%20-%20Search%20doesn't%20work%3CBR%20%2F%3EDate%20-%20Search%20doesn't%20work%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20please%20need%20a%20Search%20'Not%20X'.%20Example%20not%20Approximate%20Location%20US%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20will%20help%20Users%20the%20most%3CBR%20%2F%3E1.%20Unsuccessful%20sign-in%3CBR%20%2F%3E2.%20Not%20Approximate%20Location%20X%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-920571%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-920571%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20the%20plans%20to%20have%20client%20access%20from%20App%E2%80%99s%20displayed%3F%20My%20users%20would%20like%20to%20see%20not%20just%20successful%20web%20auth%E2%80%99s%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-925067%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-925067%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F7728%22%20target%3D%22_blank%22%3E%40David%20Taig%3C%2FA%3E%20-%20Thanks%20for%20testing%20it%20out!%20Yep%20we%20have%20some%20known%20issues%20with%20the%20Search%20functionality%20and%20want%20to%20improve%20that%20before%20GA.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F135805%22%20target%3D%22_blank%22%3E%40Arran%20Goffe%3C%2FA%3E%20-%20I%20believe%20it%20should%20already%20show%20that.%20Do%20you%20have%20a%20specific%20app%20in%20mind%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968511%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968511%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20feature%2C%20however%3B%20we%20are%20using%20an%20Internet%20Proxy%20from%20a%20renowned%20CA%20based%20vendor.%3C%2FP%3E%3CP%3EW%3CSPAN%3Ee%20are%20an%20europeing%20based%20company%2C%20with%20the%20proxy%20located%20near%20by%2C%20at%20the%20vendor%20subsidiary.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20appears%20you%20are%20looking%20up%20IP%20Addresses%20through%20WhoIs.com%20who%20will%20only%20give%20you%20the%20owners%20geo%20location%2C%20and%20not%20the%20geo%20location%20of%20the%20End%20Point.%26nbsp%3B%3C%2FP%3E%3CP%3EConsequently%20all%20sign-in's%2C%20through%20the%20Proxy%2C%20are%20registered%20as%20originating%20from%20US%20CA.%20Sign-in's%20bypassing%20the%20Proxy%2C%20as%20originating%20from%20europe%2C%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20suggesting%20you%20look%20up%20IP%20Addresses%20in%20a%20reliable%20geo%20location%20database%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1043940%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1043940%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20feature%20is%20good%2C%20but%20will%20be%20better%20If%20when%20we%20receive%20a%20request%20for%20authentication%20in%20Authenticator%20App%2C%20we%20can%20see%20the%20source%20of%20request%20of%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20something%20in%20development%20related%20to%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096487%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426704%22%20target%3D%22_blank%22%3E%40robynhicock%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%201089px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164235iDF386120478EDD97%2Fimage-dimensions%2F1089x99%3Fv%3D1.0%22%20width%3D%221089%22%20height%3D%2299%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAlerts%20not%20only%20for%20admin%20but%20user%20for%20as%20well%20when%20there%20is%20login%20from%20new%20device%20or%20IP%20Address.%20Can%20you%20pleases%20brief%20me%20about%20you%20said%20%22%3CSTRONG%3EWe%20do%20this%20in%20MSA%20today%20by%20alerting%20via%20SMS%2C%20alternate%20email%2C%20and%20the%20Authenticator%20app.%22%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1109621%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1109621%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20need%20to%20fix%20the%20Geo%20Location%20problem%2C%20or%20this%20feature%20will%20be%20totally%20useless.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEven%20though%20I'm%20Europe%20based%2C%20all%20my%20sign-in's%20appears%20as%20originating%20from%20US%20California.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1113095%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1113095%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Robyn%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F426704%22%20target%3D%22_blank%22%3E%40robynhicock%3C%2FA%3E)%20-%20Do%20you%20have%20an%20update%20coming%20soon%20to%20resolve%20the%20known%20issues%20and%20any%20enhancements%20from%20the%20requests%20above.%20Thanks%20David%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1192903%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1192903%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20the%20system%20can%20generate%20the%20sign-ins%20report%20regularly%20(e.g.%20weekly)%3F%20Then%20send%20it%20to%20every%20O365%20users.%20Thx.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESamuel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528149%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528149%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F437264%22%20target%3D%22_blank%22%3E%40IvanRafn%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20reporting%20that!%20Work%20on%20this%20feature%20got%20delayed%20a%20few%20times%20to%20work%20on%20higher%20priority%20items%2C%20but%20we%20have%20picked%20it%20back%20up%20again.%20I'll%20bring%20up%20that%20geo%20location%20issue%20to%20our%20engineering%20team.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F424562%22%20target%3D%22_blank%22%3E%40Bikebrother%3C%2FA%3E%26nbsp%3B-%20Yes%20that's%20in%20our%20roadmap%20to%20show%20more%20context%20in%20the%20Authenticator%20App%20notification%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528151%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528151%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F423496%22%20target%3D%22_blank%22%3E%40Deepak_ITTechPro%3C%2FA%3E%26nbsp%3B-%20Yep%20we%20want%20to%20eventually%20send%20alerts%20to%20AAD%20end%20users%20too.%20I%20meant%20we%20do%20this%20in%20MSA%20for%20consumer%20accounts.%20For%20example%2C%20this%20is%20one%20of%20the%20end%20user%20notifications%20from%20the%20Authenticator%20App%20when%20a%20password%20is%20changed%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22robynhicock_0-1594954169193.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F205956i3310C23693ACFA03%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22robynhicock_0-1594954169193.png%22%20alt%3D%22robynhicock_0-1594954169193.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528154%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528154%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38615%22%20target%3D%22_blank%22%3E%40David%20Taig%3C%2FA%3E%26nbsp%3B-%20Yep%20we're%20working%20on%20it%20now!%20We've%20fixed%20those%20Search%20issues%20that%20you%20mentioned%2C%20and%20we're%20aiming%20to%20get%20this%20feature%20to%20GA%20by%20the%20end%20of%20July%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fhappyface_40x40.gif%22%20alt%3D%22%3Ahappyface%3A%22%20title%3D%22%3Ahappyface%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528160%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567459%22%20target%3D%22_blank%22%3E%40Samuel_Ho%3C%2FA%3E%26nbsp%3B-%20Hmm%20we%20don't%20currently%20generate%20weekly%20reports%20from%20My%20Sign-Ins.%20In%20the%20future%20we%20do%20want%20to%20notify%20end%20users%20if%20we%20detect%20unusual%20activity%20though.%3C%2FP%3E%0A%3CP%3EAlso%20if%20you're%20an%20admin%20for%20a%20tenant%2C%20you%20can%20view%20a%20much%20more%20detailed%20sign-ins%20report%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FActiveDirectoryMenuBlade%2FSignIns%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FActiveDirectoryMenuBlade%2FSignIns%3C%2FA%3E%26nbsp%3Band%20that%20allows%20you%20to%20download%20and%20export%20the%20data%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorrobynhicock_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916066%22%20slang%3D%22en-US%22%3EUsers%20can%20now%20check%20their%20sign-in%20history%20for%20unusual%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916066%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20announce%20the%20public%20preview%20of%20%3CA%20href%3D%22https%3A%2F%2Fmysignins.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20My%20Sign-Ins%3C%2FA%3E%E2%80%94a%20new%20feature%20that%20allows%20enterprise%20users%20to%20review%20their%20sign-in%20history%20to%20check%20for%20any%20unusual%20activity.%20As%20we%20discussed%20in%20a%20previous%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FYour-Pa-word-doesn-t-matter%2Fba-p%2F731984%22%20target%3D%22_blank%22%3Eblog%20post%3C%2FA%3E%2C%20our%20team%20defends%20against%20hundreds%20of%20millions%20of%20password-based%20attacks%20every%20day.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20My%20Sign-Ins%20page%20empowers%20users%20to%20see%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIf%20anyone%20is%20trying%20to%20guess%20their%20password.%3C%2FLI%3E%0A%3CLI%3EIf%20an%20attacker%20successfully%20signed%20in%20to%20the%20account%20from%20a%20strange%20location.%3C%2FLI%3E%0A%3CLI%3EWhat%20apps%20the%20attacker%20tried%20to%20access.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ERobyn%20Hicock%2C%20who%20managed%20this%20feature%2C%20wrote%20a%20guest%20blog%20post%20where%20she%20dives%20into%20the%20details%20on%20this%20update.%20You%E2%80%99ll%20find%20her%20blog%20post%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20may%20have.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%20-ERR%3AREF-NOT-FOUND-Azure%20AD%20feedback%20forum.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(-ERR%3AREF-NOT-FOUND-%40Alex_A_Simons)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E___________________________________________________________________________________________%3C%2FP%3E%0A%3CP%3EHi%20everyone!%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20super%20excited%20to%20share%20details%20about%20the%20new%20%3CA%20href%3D%22https%3A%2F%2Fmysignins.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMy%20Sign-Ins%3C%2FA%3E%20tile%20found%20on%20the%20users%20%3CA%20href%3D%22https%3A%2F%2Fmyprofile.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOverview%20blade%3C%2FA%3E%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure%20AD%20My%20Sign-Ins%201.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F137716i0A89AC952B653400%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Azure%20AD%20My%20Sign-Ins%201.png%22%20alt%3D%22Azure%20AD%20My%20Sign-Ins%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EJust%20click%20the%20%3CSTRONG%3EMy%20Sign-Ins%3C%2FSTRONG%3E%20tile%20to%20display%20the%20location%20details%20of%20how%20an%20account%20was%20accessed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%E2%80%99s%20an%20example%20where%20I%20successfully%20signed%20in%20to%20Office%20365%20on%20Windows%2010%20from%20Washington%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure%20AD%20My%20Sign-Ins%202.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F137717i4AC532D117798638%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Azure%20AD%20My%20Sign-Ins%202.png%22%20alt%3D%22Azure%20AD%20My%20Sign-Ins%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1649663381%22%20id%3D%22toc-hId-1649663381%22%3ESuccessful%20sign-in%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMost%20users%20should%20recognize%20their%20activity%20as%20being%20normal.%20However%2C%20if%20a%20user%20notices%20a%20%3CSTRONG%3ESuccessful%3C%2FSTRONG%3E%20sign-in%20from%20strange%20location%2C%20browser%2C%20or%20operating%20system%2C%20an%20attacker%20may%20have%20gained%20access%20to%20the%20account.%20In%20this%20case%2C%20the%20user%20should%20change%20their%20password%20immediately%20and%20then%20go%20to%20the%20-ERR%3AREF-NOT-FOUND-Security%20info%20page%20to%20update%20their%20security%20settings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20a%20chance%20of%20a%20false%20positive%20since%20the%20approximate%20location%20and%20map%20is%20based%20on%20the%20IP%20Address%20(we%20call%20this%20%E2%80%9CIP%20Address%20Geolocation%E2%80%9D).%20Mobile%20networks%20are%20especially%20hard%20to%20geolocate%20since%20they%20sometimes%20route%20traffic%20through%20distant%20locations.%20For%20example%2C%20if%20a%20user%20signs%20in%20on%20their%20phone%20from%20Washington%2C%20the%20location%20might%20show%20the%20sign-in%20coming%20from%20California.%20This%20is%20why%20it%20helps%20to%20check%20more%20details%20about%20the%20sign-in%2C%20such%20as%20the%20operating%20system%2C%20browser%2C%20and%20app%20to%20confirm%20if%20it%E2%80%99s%20actually%20bad%20activity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--902493580%22%20id%3D%22toc-hId--902493580%22%3EUnsuccessful%20sign-in%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20%3CSTRONG%3EUnsuccessful%20sign-in%3C%2FSTRONG%3E%2C%20which%20shows%20no%20session%20activity%2C%20means%20that%20primary%20authentication%20(username%2Fpassword)%20failed.%20This%20could%20mean%20that%20the%20user%20mistyped%20their%20password%20or%20an%20attacker%20was%20trying%20to%20guess%20the%20password.%20If%20it%E2%80%99s%20because%20an%20attacker%20was%20trying%20to%20guess%20the%20password%20(but%20was%20unsuccessful)%2C%20then%20there%E2%80%99s%20no%20need%20for%20the%20user%20to%20change%20their%20password.%20However%2C%20this%20is%20a%20great%20reason%20for%20the%20user%20to%20register%20for%20Azure%20Multi-Factor%20Authentication%20(MFA)%2C%20so%20even%20if%20the%20hacker%20eventually%20guesses%20the%20password%2C%20it%20won%E2%80%99t%20be%20enough%20to%20access%20the%20account.%20Based%20on%20our%20studies%2C%20accounts%20-ERR%3AREF-NOT-FOUND-protected%20by%20MFA%20are%2099.9%20percent%20less%20likely%20to%20be%20compromised.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure%20AD%20My%20Sign-Ins%203.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F137720i66DDBCF1606A908F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Azure%20AD%20My%20Sign-Ins%203.png%22%20alt%3D%22Azure%20AD%20My%20Sign-Ins%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAn%20%3CSTRONG%3EUnsuccessful%20sign-in%3C%2FSTRONG%3E%2C%20which%20shows%20Session%20activity%20of%20%E2%80%9C%3CSTRONG%3EAdditional%20verification%20failed%2C%20invalid%20code%3C%2FSTRONG%3E%2C%E2%80%9D%20means%20that%20primary%20authentication%20(username%2Fpassword)%20succeeded%2C%20but%20MFA%20failed.%20If%20it%20was%20an%20attacker%2C%20they%20correctly%20guessed%20the%20password%20but%20were%20unable%20to%20pass%20the%20MFA%20challenge%E2%80%94such%20as%20round%20tripping%20a%20code%20to%20a%20phone%20number%20or%20by%20using%20the%20-ERR%3AREF-NOT-FOUND-Microsoft%20Authenticator%20app.%20In%20this%20case%2C%20the%20user%20should%20still%20change%20their%20password%20(since%20the%20attacker%20got%20it%20right)%20and%20go%20to%20the%20-ERR%3AREF-NOT-FOUND-Security%20info%20page%20to%20update%20their%20security%20settings.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure%20AD%20My%20Sign-Ins%204.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F137721iDFA01DD985B839A0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Azure%20AD%20My%20Sign-Ins%204.png%22%20alt%3D%22Azure%20AD%20My%20Sign-Ins%204.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-840316755%22%20id%3D%22toc-hId-840316755%22%3EFiltering%20sign-ins%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20the%20Search%20bar%20at%20the%20top%20to%20filter%20sign-ins%20by%20state%2C%20country%2C%20browser%2C%20operating%20system%2C%20app%2C%20or%20account.%20For%20example%2C%20below%20I%20filtered%20sign-ins%20in%20to%20the%20My%20Groups%20app%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure%20AD%20My%20Sign-Ins%205.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F137722iE9F7A12479FE375B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Azure%20AD%20My%20Sign-Ins%205.png%22%20alt%3D%22Azure%20AD%20My%20Sign-Ins%205.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1711840206%22%20id%3D%22toc-hId--1711840206%22%3ELooking%20ahead%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20future%2C%20we%E2%80%99ll%20add%20%3CSTRONG%3EThis%20wasn%E2%80%99t%20me%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EThis%20was%20me%3C%2FSTRONG%3E%20buttons.%20We%E2%80%99ll%20also%20highlight%20unusual%20activities%20detected%20with%20-ERR%3AREF-NOT-FOUND-Identity%20Protection.%20This%20user%20feedback%20will%20help%20improve%20the%20accuracy%20of%20our%20risk%20detection%20systems.%20We%20do%20all%20of%20this%20already%20with%20the%20-ERR%3AREF-NOT-FOUND-Recent%20Activity%20page%20for%20consumer%20Microsoft%20Accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99d%20love%20to%20hear%20your%20feedback%20and%20suggestions%20on%20the%20My%20Sign-Ins%20Public%20Preview%20before%20it%20becomes%20generally%20available.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%20-ERR%3AREF-NOT-FOUND-Azure%20AD%20feedback%20forum.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3ERobyn%20Hicock%20(-ERR%3AREF-NOT-FOUND-%40RobynHicock)%3C%2FP%3E%0A%3CP%3ESenior%20Program%20Manager%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Security%20and%20Protection%20team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-916066%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20%22My%20Sign-Ins%22%2C%20users%20can%20check%20to%20see%20if%20anyone%20else%20is%20trying%20to%20access%20their%20accounts.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure%20AD%20My%20Sign-Ins%20teaser.png%22%20style%3D%22width%3A%20647px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F137715iCE91F53150E50AE7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Azure%20AD%20My%20Sign-Ins%20teaser.png%22%20alt%3D%22Azure%20AD%20My%20Sign-Ins%20teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-916066%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20and%20Access%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: