Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC

casualbob 

I'm going to echo what others have said in this thread so far.

In my tickets with MS, they have told me to ignore these, although I don't think that's the right move.

It *seems* to be a password spray attempt, likely a dictionary based attack.

ROPC = Resource Owner Password Credentials

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

BAV = Business Apps v2

I have switched from monitoring successful logins in the audit logs to monitoring the Azure based logins per MS's suggestion as the audit logs can be difficult to read with a bunch of these attempts cluttering the logs.

The only option presented to me to mitigate this was to this enable conditional access which will not work as some of these attempts are stateside. I don't want to lock down logins to the IP's for each specific user as that will be pretty difficult to manage with mobile usage.

All I can tell is that these attempts are successfully getting a token, which does not necessarily indicate a compromise, just that the attacker was able to authenticate to the service.

It is concerning to me that this is happening, that it is coming from MS based IP's, and that in the numerous tickets I have made, it's been brushed off.

Hopefully MS will address this, we are really relying here on the quality of this service and the strength of the user password, which makes me pretty uncomfortable.