Well, CA policies act post authentication, so you do seem to have some events where credentials were entered correctly.
Allowed logon time hours and correct credentials
Hi Community,
I've been looking into a large amount of password spraying attempts against our company azure AD user accounts.
The majority of logon failures are due to incorrect credentials, and we use MFA.
My main question surrounds the following failure reasons:
- "The users attempted to log on outside of the allowed hours (this is specified in AD)."
- "Access has been blocked due to conditional access policies."
What I'm hoping to find out with these two error messages is if they imply that the credentials were correctly entered, but failed at the step before MFA challenge due to a policy denying the login.
Or will these messages always show at ANY login attempt made if these policies are being enforced at the time of the attempted login?
I'd like to clarify this in case it warrants further investigation against those user accounts for other services if they recycle passwords but don't hold MFA, meaning they may be compromised elsewhere.
Grateful for any further information.
Thanks!
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
2024-12-12T08:15:18.2033333+00:00