Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AzureAD Signin Logs & Risk Alert

Copper Contributor

In one of our customers, there is an alert related to a global administrator account. There is a conditional access policy in place and password-less sign in is NOT active. Based on sign-in logs, it tells status is failure and sign-in error code is 500121. This attempt is from another country using application 'O365 Suite UX'. 

 

The question is since error 500121 means the user did NOT pass MFA, does that mean that the attacker provided username and 'correct password'? Is it possible to reach MFA stage without providing correct credentials?

Thx,

1 Reply
If a user fails to do MFA, the password was entered correctly.
I would change the password ASAP