Code - 50173

Brass Contributor

Hi,

I see a number of Risky Sign-ins with the code 50173 - Fresh auth token is needed. Have the user re-sign using fresh credentials. And the status is "Failure".

But I noticed the IP address captured is of another country. How to interpret the error code?

Thanks.

11 Replies
Hi cllee,

Not sure why it shows from different country, but this message refers to token expiration and needs to be refreshed. There are some ways to extend the token lifetime like Conditional Access.

Are you checking the logs from MCAS? If not, I would check from that side as the logs more organized.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...


@Moe_Kinani 

 

Is there a possibility where someone else has also setup the access to the user account from another country? 


Thanks.

Do you have MFA in place?If yes, It could be false alarm.

Again I would check Microsoft Cloud App Security for more details about the incident.

Moe

@cllee 

 

If you get an alert from Identity Protection, you can never be 100% sure why it was flagged as risky as Microsoft keeps these methods confidential.

 

I would suggest you check with the never if he has any clue why this login occurred ( he might be travelling, using roaming data or VPN).

 

If he doesn't know anything about this login, I would advise you to change his password and expire all his tokens. Even if he has MFA, his account could still be breached.

 

@Thijs Lecomte 

 

Thanks for your advice. I have reset the password.
If the status of the code shows "Failure", is that also indicating that the user account has been compromise? Or someone did successfully gain access to the account prior to this?

Or it could be just an attempt? Thanks.


Hi cllee,

Failure means not ‘compromised’ and didn’t get access. Anytime you mistype your password or someone tries to brute force your account, it gets logged on Azure/ MCAS.

You can use Security & Compliance Console (Compliance now)->Search->Audit Log Search. This should give you more details about the incident.
Moe

@cllee 

You need to review the sign-in and check what the failure reason is.

 

If it failed because of a bad PW, no harm done

 

If it failed because of MFA, this is a breach as the password has been breached.

@Thijs Lecomte 


I think is not MFA. This is the failure reason.


Sign-in error code :
 50173
Failure reason: Fresh auth token is needed. Have the user re-sign using fresh credentials.


I assume someone out there is trying to established the connection. But I wasn't sure whether by "token auth", does it mean somebody has successfully created/login to the account before.

@cllee 

 

I haven't seen this before.

 

A token is given to the user after successful authentication. 

The error makes it seem that the token is expired, which would indicate that the user has signed into that device before.

@Thijs Lecomte 

Is this anything we can do based on the information captured by the Sign-In data? Like the IP address of the session? Block it or any security measure? Thanks.

I would check with the user first to double check if the alert was legit.

If it wasn't legit, blocking an IP doesn't help much as attackers change IP addresses every minute.
I would advise you to check how the attacker was able to log into the account and work from there