blocked signed in due to IP. What about password?

Question

When seeing a blocked sign in that says "Failure reason
Sign-in was blocked because it came from an IP address with malicious activity."
Does this mean that they used the correct password and were blocked after entering the password? Or that they were blocked before having a chance to enter the password?

Answer 1

@Hashim Siddiqui Azure will not perform these checks until the user enters the password. They will be blocked after entering the credentials. If you are seeing this error it most likely means that the user entered the correct password and was blocked because of the IP address.

I will confirm this with the product group and will update the thread as soon as possible.

Answer 2

The message "Failure reason
Sign-in was blocked because it came from an IP address with malicious activity." will be displayed only after correct password is entered from a malicious IP address.

If incorrect password is entered, user will get "Your account or password is incorrect. If you don't remember your password, reset it now." message. The sign-in risk will not be detected in this case.

-----------------------------------------------------------------------------------------------------------

Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

Answer 3

Lot's of back and forth with Microsoft Support, reviewing logs and more.
Apparently, @AmanpreetSingh-MSFT and @KAREDD-MSFT were answering according to some outdated documentation in the best case.

My current understanding on this subject is that this error message does not mean that anyone used the correct password.
These are most likely brute-force attempts. They would run some legacy authentication methods where they send the username and password at once.
Microsoft evaluates all sign ins coming in to any Microsoft directory. When an IP has X amount of failed usernames and/or passwords, Microsoft would than flag the IP as malicious and then block the sign-ins no matter if the password matches or not. Error 50053 has two definitions.

• Sign-in was blocked because it came from an IP address with malicious activity.
• Account is locked because user tried to sign in too many times with an incorrect user ID or password.

The second one is actually the definition currently publicized in the official documentation, but both of the above reasons use the same ID.

You won't always see an error prior to seeing that "Sign-in was blocked because it came from an IP address with malicious activity." and this is due because that IP address was flagged prior to trying your tenant/account.

These of course is solely my opinion and it is unfortunate to see "Microsoft Employees" (according to their profile here) are answering questions with incorrect information.

Additionally, I am completely disappointed why I had to go in circles with Microsoft support and simply have to "prove" them that the answers they are providing me can't be true.

--
The above is solely my understanding on this matter and I felt like posting it simply for others that stumble in to this to understand what's going on.

Answer 4

@Shimshey Rosenberg Unfortunately, your understanding is not completely correct. There are 3 different things here:

1. Machine learning
2. Sign-in Risk detection
3. Account lockout.

First Azure AD Identity protection uses Machine learning to mark an IP address as a suspicious address. An IP address is marked as a suspicious only if high number of failed sign-in attempts come from that address during a short period of time. The IP address will be marked as as malicious by Machine Learning algorithm. This shouldn't be considered as risk detection as going forward this would help with risk detection.

Risk Detection: Once the IP address is marked as suspicious address and a sign-in attempt is made from that address, that will be considered as Risky Sign-in. This is considered as risk detection. However, if you enter incorrect password during sign-in from malicious address, you will get "Your account or password is incorrect. If you don't remember your password, reset it now." message.

The error "Account is locked because user tried to sign in too many times with an incorrect user ID or password." completely depends on below setting:

-----------------------------------------------------------------------------------------------------------

If this helps clarifying your questions, please mark it as Accepted Answer.

Answer 5

@AmanpreetSingh-MSFT , I appreciate you getting back to me. I certainly believe that at least now you made the proper research before answering.

The whole point of my previous comment was that the paragraph below is completely wrong and misleading.

The message "Failure reason Sign-in was blocked because it came from an IP address with malicious activity." will be displayed only after correct password is entered from a malicious IP address.

According to what I wrote, and to the best of my current knowledge on this subject, this is NOT true. You can, and will see in the logs this failure reason, regardless of a correct or incorrect password being entered

Being that you are a Microsoft employee (according to your profile), can you agree that this is the case?

"Sign-in was blocked because it came from an IP address with malicious activity does not mean that anyone answered the correct password"

True or not?