Multiple Single-factor authentication failures from what seems to be a compromised users

Daoust, Eric 6 Reputation points
2022-11-29T16:54:45.093+00:00

I have noticed in the past month about 900 failed sign in's from what I guess are compromised usernames. They are all reporting as failed, Password in the cloud, password incorrect.

So I guess these are all brute force attempts, they are recorded as from all over the world, we use ADFS in our tenant and have no write back or password sync/hash in the cloud. All these attempts are single factor and obviously fraudulent.

They are not recorded in risky sing in's or risky user's , I just happened to be looking at the sign in logs when i saw them.

Is that normal behavior? that they are not logged or reported on?

Thanks

Eric

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
830 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,525 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Givary-MSFT 30,676 Reputation points Microsoft Employee
    2022-12-01T05:39:31.833+00:00

    @Daoust, Eric Thank you for reaching out to us, As I see you are trying to investigate failed sign in attempts for the users in the federated environment ( ADFS).

    Just wanted to check if you have got a chance to review this article which talks about securing AD FS against password attacks - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-password-protection#:~:text=of%20their%20account.-,Securing%20AD%20FS%20against%20password%20attacks,-But%20by%20taking

    Let me know if you have any further questions.


  2. David Broggy 5,701 Reputation points MVP
    2024-01-30T23:01:24.2966667+00:00

    hi @Givary-MSFT , That article was for ADFS, what about for Azure Entra? eg. if you're looking at Azure Entra > Security > Authentication Methods: Monitoring > Activity > Usage - and you click on the graph sections for 'single sign-in events' - you will see all activity for single sign in activity. Likely most of these events will show a flood of sign in failures. If so, is your recommendation to enable the MFA Identity Protection Policy in blocking mode, or something else?

    Thanks very much.

    0 comments No comments