Azure Sign-in Logs

Copper Contributor

Hi,

I've been tracking some activity which I think is somewhat malicious. Within sign-in logs I've noticed quite a few failures from user accounts under application "Microsoft Azure CLI". Over the last month there has been an ever-increasing amount of this traffic from users that would have no reason (or business) to be signing into this application. 99% of attempts are failures and I am wondering if there is some other process, unbeknown to the user that could cause this error?

 

I am happy to share the excerpt below as an example as we definitely don't have staff in Russia! Or any of the other strange countries appearing for location.

 
Microsoft Azure CLI
Failure
91.243.188.240
Moskva, Moskva, RU

 

I am the Cyber Analyst for my organisation but relatively new to the field with only a newly qualified Apprentice and TL with equal knowledge in Cyber as myself.

Thanks,

Stephen

6 Replies
Using Conditional Access, you can block Azure Management for non-admins.
You cannot prevent password spray, but make sure you have MFA for all apps and above policy in place. Let me know if you need help with that.

@Steph32UK 

 

This would be an example of how to implement the extra check: Conditional Access - Require MFA for Azure management - Azure Active Directory - Microsoft Entra | M.... This way they'd need to prove the second factor even if they gain access to valid credentials.

 

You could make a variant on this to just block Azure Management for non-admins similar to the example described here: Block access to Azure Powershell Management (microsoft.com) or Block user access to Azure AD Powershell with Conditional Access - Microsoft Community Hub. In this case, you'd want to put your admins in a group that's excluded from the rule.

 

Please like and mark this thread as answered if it's helpful, thanks!

Hi Jan,
Many thanks for your reply. I am trying to get our Sys Admin team to get their skates on with a CA policy (unfortunately that's their remit....for now!) as we had some Webshell attacks few weeks back and I've been pushing them ever since.

@Kurt Mayer 

Hi Kurt,
Many thanks for your reply and the useful links. Trying to get our Sys Admin team to get their skates on with the CA policies. We had a some Webshell attacks few weeks back so been pushing for these controls.
Thanks,
Stephen

@Steph32UK I have seen quite a lot of login failures for Microsoft Azure CLI and a few successful. How did you get on blocking it? Are you still seeing attempts? 

@swhitestrath 

We have enrolled accounts onto MFA and still working on the Conditional Access Policies. Unfortunately our Sys Admin team hold the control for CAP and are a little slow to get things done!!!!