Forum Discussion
Detect compromised passwords
You'll see a failure reason of "other" in the sign-in logs, as opposed to "invalid username or password":
or...
The sign-in error code is also key - 500121 above relates to a failed strong authentication in the context of "other":
Regards,
Kelvin
Hi Huw_W1,
There’s a distinction here between identifying, and alerting on this type of activity. As the previous replies have indicated there are proactive alerting mechanisms in the form of MCAS / Sentinel, but clearly these may carry over a cost to you over more manual ways of identifying this sort of behaviour.
As Vasil suggested, at a base level you will see these reflected in the Azure AD sign-in logs as failed sign-ins (due to lack of MFA, as opposed to an incorrect password which you will be able to distinguish from the log data). Not as elegant as an alert based solution (which I’d recommend), but it will allow you to identify those accounts where passwords have been compromised with a bit of leg work.
Obviously this will be supplemented by Microsoft’s leaked credential detection service assuming you have AAD P1 or P2 🙂
Hope this helps,
Kelvin
Thanks for your response, I guess my question is really what should i look for in the sign in logs to spot a login attempt which presents a correct password but then fails the MFA check?
You'll see a failure reason of "other" in the sign-in logs, as opposed to "invalid username or password":
or...
The sign-in error code is also key - 500121 above relates to a failed strong authentication in the context of "other":
Regards,
Kelvin
