Strange Login from Microsoft Azure CLI and MFA bypassed

Question

Hi,

Not sure if this is the correct forum for this question. If there is a more specific place for security related questions please let me know.

I am looking at a potential breach after a suspicious logon was triggered in our environment.

The login came from an IP address based in the USA. It is tagged as belonging to Amazon.

The login application within Azure is Microsoft Azure CLI. The user in question has no Azure rules assigned and but is an admin account and has on prem privileges.

Although the account is subject to Conditional access MFA wasn't used in the successful login. The conditional access tab in the sign in properties tell us that CA was not applied.

I have tested on my own account and when I download azure cli and connect from my machine I am subject to MFA.

So we cannot understand how this has happened and why this user wasn't subject to MFA.

Has anyone come across something similar in their travels?

Answer 1

@Daniel Birrell - thanks for your question.

There could be various legitimate reasons why MFA wasn't applied in this case. In the sign-in logs, do any of the other detailed tabs for the sign-in provide any additional information - for example, in the "Basic Info", do the "Additional details" provide any hints, such as a previous MFA claim being in the sign-in token (which would indicate that the user had an earlier sign in which did have MFA, in which case you should search for previous sign-ins from the same user).

Ultimately, if there's nothing obvious from the logs, the best bet would be to raise a support ticket as support should be able to dig into your logs and fully understand what is going on.

-----

If this has helped at all, please upvote and "mark as answer" to help others with similar questions in the future