Share via

Risky Sign-ins in Azure Entra ID and Identity Protection

Anthony Mansour 5 Reputation points
2024-07-18T16:15:32.8033333+00:00

Hello everyone,

I am seeking some technical advice regarding risk sign-ins in Azure Entra ID and Identity Protection. We have an Azure Entra ID setup with a P2 License, and we are experiencing an overwhelming number of high-severity alerts from Identity Protection in the defender XDR portal due to risk events.

https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks

Specifically, I have been encountering numerous high-severity alerts such as "Unfamiliar sign-in properties" and "Malicious IP address." These alerts are being generated in the thousands and are becoming difficult to manage.

Here are some details about the situation:

  • Many of these alerts are for different users and originate from random IP addresses.
  • The IP addresses involved are performing brute force attacks, but these attempts are unsuccessful.
  • 90% of these alerts are being triggered when the user account is locked out due to the smart lockout feature being enabled for password protection (based on the 'Sign-in error code':'50053' in Risky Sign-in Details tab on the Risky sign-ins portals).

Given the volume and nature of these alerts, I need to understand the following:

  1. Are account lockout events taken into consideration in the evaluation of risky sign-in events in Azure Entra ID?
  2. How can I effectively address and manage these high-severity risky alerts, given that they often result from unsuccessful brute force attempts?

Any insights, best practices, or recommendations on how to handle these scenarios would be greatly appreciated.

Thank you!

Microsoft Security | Microsoft Defender | Microsoft Defender for Identity
Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abiola Akinbade 29,645 Reputation points Volunteer Moderator
    2024-07-18T18:00:46.9333333+00:00

    Hello Anthony Mansour,

    Thanks for your question.

    Yes, Entra ID considers account lockout events when evaluating risky sign-ins.

    For recommendations:

    See:

    https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk?source=recommendations#risky-sign-ins

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

  2. Raja Pothuraju 24,785 Reputation points Microsoft External Staff Moderator
    2024-08-13T00:02:09.0566667+00:00

    Hello @Anthony Mansour,

    Thank you for your time over call.

    As we discussed, I have internally reviewed potential methods to stop the high-risk alerts triggered by Identity Protection. The scenario we encountered involves login attempts on user accounts where an attacker is trying to guess the password. Our logs show that all these attempts were unsuccessful. Since Microsoft Entra Smart Lockout is enabled in your tenant, whenever the attacker enters multiple incorrect passwords (not necessarily the same password), the user’s access is temporarily locked for a certain period.

    In addition to Smart Lockout, Microsoft Entra ID also safeguards against attacks by analyzing signals, including IP traffic and identifying anomalous behavior. Microsoft Entra ID automatically blocks these malicious sign-ins and returns the AADSTS50053 - IdsLocked error code, regardless of the password validity.

    These attempts are being made from a malicious IP address and involve unfamiliar sign-in properties, which is why Identity Protection is flagging them as high-risk alerts.

    Unfamiliar sign-in properties are calculated in real-time. This risk detection type considers past sign-in history to identify anomalous sign-ins. The system stores information about previous sign-ins and triggers a risk detection when a sign-in occurs with properties that are unfamiliar to the user. These properties can include IP address, ASN, location, device, browser, and tenant IP subnet.

    The malicious IP address detection is calculated offline. This detection indicates a sign-in from a malicious IP address. An IP address is deemed malicious based on high failure rates due to invalid credentials received from that IP address or other IP reputation sources. In some instances, this detection triggers due to previous malicious activity.

    In this scenario, we can only prevent and secure our environment by configuring risk policies and Entra Smart Lockout. However, we cannot completely stop password spray attacks since they occur before authentication.

    Please refer to the following documents for more details, and let me know if you have any further questions:

    Smart Lockout Documentation

    Identity Protection Risks

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.