Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in originated from. Until the end of 2019, all IP addresses were expected, either being that of the office, the Vodafone mobile network or the home addresses of the sales guys. In 2020, I have started getting log in alerts, which according to https://whatismyipaddress.com/ are from Microsoft Datacentres in Ireland, Holland and Austria, all with "Microsoft Corporation" as the ISP and sometimes with the same for the Organisation and sometimes with "Microsoft Azure". e.g 40.101.88.221 (Amsterdam), 40.101.102.149 (Dublin). Worried about potential breaches, I contacted Microsoft Support (who by the way are always ON IT, thank you) who helped me find info in the audit log to say the User Agent is BAV2ROPC, which lead me to this page https://www.reddit.com/r/Office365/comments/bl90gw/bav2ropc_user_agent_in_logs/ where someone's found it means "Business Apps v2 Resource Owner Password Credential", which is apparently the User Agent for an updated version of Outlook Mobile. I have a couple of questions / observations and wondered if anyone could shed any light on this. 1) My users don't know their passwords so it's highly unlikely they've been phished, so I don't think these are breaches. 2) My email account has triggered log ins from Microsoft IP addresses, and I have 2 factor authentication turned on where I received a text message code to my mobile. I have not received texts in relation to these logins, so again I don't think it's a breach. 3) I don't use Microsoft Outlook on my mobile, so don't think I'd be generating this BAV2ROPC user agent (but I am on the Activity Alerts). 4) If it was a device I was using causing this user agent, why aren't the Activity Alerts logging my IP address from my device's location? 5) My account is used to sign in programatically in a piece of software I wrote, so that could explain it for my account, but I'm also getting alerts for users who only access their email on their android phone on the built in email app. 6) The frequency I'm receiving Activity Alerts from Microsoft IP addresses is increasing. I get a few a day now. In summary, I don't think there's anything untoward goin on, but as a responsible admin, I'ld like to understand exactly what's occuring. Many thanks, DavePreview of Azure AD Conditional Access Policies for devices, users and applications
The folks at Microsoft identity division have just released the preview of Azure AD Conditional Access Policies for devicesm, users and applications in protecting the resource - this includes Office 365! More details on this new feature in the link below. https://techchirag.com/2016/08/10/preview-of-azuread-conditional-access-policies-for-devices-users-and-applications-office365/Changes to authentication requirements for the Office 365 home page
Hi All, we're making some changes to the authentication flow for the Office 365 home page. Beginning August 9, accessing the authenticated Office 365 home page (either through https://portal.office.com or https://www.office.com) will require that your users satisfy the Azure Active Directory Premium Conditional Access policies that you have applied to either Exchange Online or SharePoint Online. After this change, users who do not satisfy your policies will be unable to authenticate to the Office 365 home page. Other web links on the portal.office.com domain, but with a different URL path, will be unaffected. If you have users who don’t satisfy these policies but still need to install the desktop Office apps from the home page, they will need to install the Office apps directly from http://aka.ms/office-install. Otherwise, no immediate action is required. For more information visit Office 365 Support. + David Annesley-DeWinter
Enforce MFA to external users
Is there any news on enforcing MFA to O365 external users when they will access externally shared SPO sites? Right now the challenge is we cannot enforce MFA on external users and MFA can be enabled only for licensed users. Azure B2B is in public preview but I am assuming that this capability will be available as part of Azure B2B GA as mentioned in current limitiation https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-current-preview-limitations/. So question mark is if it will be enabled then will it also be applicable for normal external sharing scenario (with Azure B2B)?
Office 365 MFA with Azure AD Sync Tool Service Account
We have recently started looking at the security state of our O365 tenant with the Secure Score tool (https://securescore.office.com). One of the suggestions to raise the score is to enable MFA for all Global Admin accounts. However, the Azure AD sycn tool has a user/service account that requires the Global Admin role to be assigned to it (as noted in the first referenced link below). Additionally, other Office365 admin roles are not permitted the directory sync access (as noted in the second link below). Seeing as how the sync is an automated process, there is no way that I know of to build approving a login with MFA. I have been unable to locate any articles around the Azure AD sync tool, nor a way to add an exception to the Secure Score portal for this user account. Has anyone come across a solution for either adding MFA to a service account or creating an exception for a service account to the Secure Score? https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles
Authentication with ADAL using managed Mobile devices
Hi everybody, I am facing a very strange authentication problem in my app. To get a valid adal token I use the adaljs library, which works fine. I get a valid token and can connect to my Azure AppService. The app that runs in the Azure AppService then uses my adal token to get a new token. I create a UserAssertion object from the token I got from Javascript adaljs. I need to do this, because otherwise I could not connect to SharePoint Online without getting a 401 unauthorized. The code works perfectly fine for desktop browsers but does fail when I try to access my AppService with a mobile device and a adfs managed user. Using a "cloud only" user works fine, but whenever I try to use a user which gets synced from my AD I get the following error when trying to get the second token: AADSTS50131: Your device is required to be managed to access this resource. The problem here is that the device is definitely managed. When I add an exception for this user in intune, I can access the App via the mobile device. Has anybody a clue what could be the problem here? Any help would be appreciated. Thanks in advance, AlexFailed log on (Failure message: Account is locked because user tried to sign in too many times with
My company has been experiencing an attack from China IP addresses (random) for a while and I can't seem to block them. I'm getting these errors "Failed log on (Failure message: Account is locked because user tried to sign in too many times with an incorrect user ID or password)" every few days on a few of my privileged users. I've tried Turning on Modern Authentication In Azure AD Enabled Block legacy authentication Turned off POP and IMAP access via exchange admin Turned on MFA for the privileged users The redacted (with *) source app connector data is below, I'm wondering if there is a way to block OrgIdWsTrust2:process or Unknown(CBAInPROD). Or if there is something else I can block to stop this. Thanks for your help! { "UserName": "", "MfaResult": null, "DeviceInfo": "Unknown(CBAInPROD)", "LoginErrorCode": 50053, "DeviceTrustType": "", "IsInteractive": false, "Call": "OrgIdWsTrust2:process", "LoginStatus": "Failure", "MfaMaskedDeviceId": null, "IpAddress": "182.38.105.229", "UserTenantId": "****", "EventType": "MCASLoginEvent", "IsInteractiveComputed": null, "ApplicationId": "***", "CorrelationId": "***", "ApplicationName": "Office 365", "SasStatus": null, "TimeStamp": "2019-07-02T01:11:36.4486831Z", "HomeTenantUserObjectId": "***", "MfaRequired": false, "RequestId": "***", "TenantId": "***", "MfaAuthMethod": null, "MfaStatusRaw": null, "IsDeviceCompliantAndManaged": false, "BrowserId": null, "UserTenantMsodsRegionScope": "NA", "DataSource": null, "UserPrincipalObjectID": "***", "Upn": "***", "MsodsTenantRegionScope": "NA" }
