blocked signed in due to IP. What about password?

Shimshey Rosenberg 21 Reputation points
2019-12-09T15:17:47.793+00:00

When seeing a blocked sign in that says "Failure reason
Sign-in was blocked because it came from an IP address with malicious activity."
Does this mean that they used the correct password and were blocked after entering the password? Or that they were blocked before having a chance to enter the password?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,564 questions
0 comments

9 answers

Sort by: Newest
Most helpful Newest Oldest
  1. Gabriel Rocha de Oliveira 0 Reputation points
    2023-09-27T13:01:18.1833333+00:00

    I read the entire thread!

    Basically then the error: "Sign-in was blocked because it came from an IP address with malicious activity" (failure reason)

    It doesn't mean that the "attacker" was able to enter the password correctly, right?

    Unlike another known failure reason which in turn is actually the result of a correct password: "Access has been blocked by Conditional Access policies. The access policy does not allow token issuance."

    0 comments
  2. Sandy Jiang 6 Reputation points
    2021-10-15T21:24:31.293+00:00

    @Shimshey Rosenberg We state the following in our documentation:
    The IP can be blocked due to malicious activity from the IP address. The IP blocked message does not differentiate whether the credentials were correct or not. If the IP is blocked and correct credentials are not used, it will not generate an Identity Protection detection

    https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/troubleshooting-identity-protection-faq#why-was-my-sign-in-blocked-but-identity-protection-didnt-generate-a-risk-detection

    A sign-in with both correct and incorrect credentials can be blocked due to IP malicious activity. In the Authentication Details of the sign-in you will be able to see if the correct or incorrect password was entered.

    1 person found this answer helpful.
    0 comments
  3. AmanpreetSingh-MSFT 56,311 Reputation points
    2019-12-20T07:21:22.843+00:00

    @Shimshey Rosenberg I still DISAGREE with your opinion.

    If you enter incorrect password, it will fail due to credential validation failure not because of sign-in risk.

    Not sure which sign-in logs you are referring to, the correct place to confirm this is Azure AD Identity Protection > Risk Detections. If you are looking into sign-in events for the user account under Azure AD > Users > Sign-ins, it will include all attempts which are failed due to risk or invalid credentials. This confirms that the attempts with only correct credentials are considered as risky sign-ins.

    You can test this by installing Tor Browser in a test machine, make a valid sign-in attempt and another attempt with incorrect password. Check Azure AD Identity Protection > Risk Detections, you will see only one attempt which was made with correct credentials. This will confirm the behavior is as per my initial response on this thread.

    Please share the result of the test and unmark your answer as Accepted as that might mislead others in the community.

    1 person found this answer helpful.
    0 comments
  4. Shimshey Rosenberg 21 Reputation points
    2019-12-19T14:43:23.01+00:00

    @AmanpreetSingh-MSFT , I appreciate you getting back to me. I certainly believe that at least now you made the proper research before answering.

    The whole point of my previous comment was that the paragraph below is completely wrong and misleading.

    The message "Failure reason Sign-in was blocked because it came from an IP address with malicious activity." will be displayed only after correct password is entered from a malicious IP address.

    According to what I wrote, and to the best of my current knowledge on this subject, this is NOT true. You can, and will see in the logs this failure reason, regardless of a correct or incorrect password being entered

    Being that you are a Microsoft employee (according to your profile), can you agree that this is the case?

    "Sign-in was blocked because it came from an IP address with malicious activity does not mean that anyone answered the correct password"

    True or not?

    0 comments
  5. Shimshey Rosenberg 21 Reputation points
    2019-12-23T13:59:34.397+00:00

    Good morning @AmanpreetSingh-MSFT

    Sorry for my delayed response, but I was out of the office on Friday.

    First off, I am unable to view the “risk detections” as my subscription does not provide me access to it. I can only see the Azure AD > Users > Sign-Ins. All the comments I have made above in regards to logs are from these logs only.

    I have seen logs mentioning invalid credentials, but this did not change my view on this.

    I will take a moment and assume you are right (not that you are, but building on that), and try to figure out some things. But first, let's summarize what we are seeing in the logs – assuming you are right.

    • A tenant with 150 mailboxes with Azure AD Connect installed for password sync
    • For 70+ users logs are indicating (again, according to you) that someone somewhere tried to gain access using the correct credentials [Question: How do they have the credentials?]
    • All users are forced to change their local AD password, with password policies restricting them from reusing the same passwords as in the past. [Effectively updating the Azure password]
    • Sign-in attempts did not stop. They are still using the correct passwords (according to you)

    The BIG question: How are “they” getting the correct password?
    At this time, I have some possible answers;

    1. Some form of keylogger on ALL on-premises systems (likelihood: low)
    2. Some form of zero-day exploit to AD or AAD Connect that they can retrieve passwords from (likelihood: ???)
    3. Some method of accessing Microsoft’s password database AND reverse engineer it (likelihood: low)

    While I am still weighing these three possible answers (there may be more possibilities, but these are the ones that I was able to come up with...) I saw some “Azure Only” accounts that are not on-prem synced are also being flagged with the same sign in attempts, which according to you, someone has their password.

    So, option 2 above is out of the question. Simply, there is no local AD account for those users, so I moved on to eliminate option 1 (keylogger) by changing those passwords on mobile (different type of device and different network), And guess what, although these accounts were not accessed by “anyone” and no one besides me knew their passwords, were still being flagged!

    Now, I think that I have successfully eliminated all options besides option 3, effectively leaving me with one option from the list above; they somehow can get all passwords from Microsoft directly and reverse engineer the passwords.
    Due to many reasons, I find it highly unlikely, therefore giving me only one other option, which is that “this error message does NOT mean that anyone tried using the correct password”
    --
    If you still disagree with me please reply in detail why you do

    All the best, Shimshey