Hello @EntraID Staff Support,
Thank you for posting your query on Microsoft Q&A.
Here are the answers to your questions based on your scenario:
1. Conditional Access Tab: Why does the Conditional Access tab in the Sign-In logs show "Not Applicable" for events with the failure reason "Sign-in was blocked because it came from an IP address with malicious activity"?
Answer: The sign-in failed due to multiple incorrect password attempts from a malicious IP address. This means that the first factor of authentication itself was unsuccessful. Conditional access policies only apply after the first factor of authentication is successfully completed.
2. Disabled Accounts: How can a password be successfully entered via Authenticated SMTP for disabled Entra accounts used for M365 Shared Mailboxes in Exchange Online?
Answer: The sign-in logs show single-factor authentication with a failure status, confirming that the first factor of authentication was not successful.
3. Authentication Details: Why do logs in the Authentication Details tab show "Incorrect password" for these events?
Answer: The logs indicate that the user entered an incorrect password when attempting to access Office 365 Exchange Online via the Authenticated SMTP protocol.
4. Conditional Access Policies Visibility: If these events are related to Conditional Access Policies, why are they not visible to Global Administrators in the Conditional Access Policies section like other Microsoft Managed policies?
Answer: These events are not related to conditional access policies because the sign-in did not complete the first factor of authentication.
Based on your scenario, it appears that there were multiple incorrect password attempts from an IP address. The error code AADSTS50053 can occur for two reasons:
- IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password. The user is blocked due to repeated sign-in attempts. See Remediate risks and unblock users.
- Or, sign-in was blocked because it came from an IP address with malicious activity.
The screenshot you provided shows that the failure reason is "sign-in was blocked because it came from an IP address with malicious activity," indicating that the account was locked due to multiple incorrect password attempts from a malicious IP address. For more details, please refer to the document on Protect user accounts from attacks with Microsoft Entra smart lockout
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Thanks,
Raja Pothuraju.