This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 23%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Hi!
We regulary have this kind of logins in our environment (Large, mostly Students). Both, successful and failed logins:
Details from Defender for Cloud:
"ApplicationId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ApplicationName": "Microsoft Azure CLI",
"Call": "OAuth2:Token",
"Client": "[x-client-sku, MSAL.Python];[x-client-ver, 1.20.0];[x-client-cpu, x86];[x-client-os, win32]",
"CorrelationId": "XXX",
"DeviceInfo": ";;Python Requests 2.26;",
…
}
Are there any legitimate use cases for a third party (not the user himself) to produce such logs?
I'm asking, because the source IP addresses are registered to Microsoft most of the time:
{
"ip": "20.170.20.146",
"city": "Frankfurt am Main",
"region": "Hesse",
"country": "DE",
"loc": "50.1025,8.6299",
"org": "AS8075 Microsoft Corporation",
"postal": "60326",
"timezone": "Europe/Berlin",
"readme": "https://ipinfo.io/missingauth"
}
Thanks for your input! Christian
A cloud-based identity and access management service for securing user authentication and resource access
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
I've seen some issues in the past where Microsoft servers were triggering suspicious activity messages, but I'm not certain if this is the same issue. [https://answers.microsoft.com/en-us/outlook_com/forum/all/suspicious-activity-on-microsoft-account/4ae72996-07e1-4797-a62e-b69672de2eb3
I have reached out to the product team to check whether this is expected.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 5%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHK%3C/text%3E%3C/svg%3E)
Nowadays we see this user agent with new version. It is seen that is regarding ARM. I think the account tries to authenticate itself and uses this user agent. Because we see same user agent on different customers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 67%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHJ%3C/text%3E%3C/svg%3E)
Hi Christian,
Did you ever find a good reason for this type of activity? We are seeing similar, also on some of our students. At first I suspected it was compromised accounts, but now I'm not so sure, considering the amount we suddenly get. Plus the fact IP's are indeed from Microsoft, also we are suddenly seeing failure logins on accounts, where they have NOT changed their password.
We do plan on activating MFA for our students, but it's still some months away.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 56.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Successful logins may be a signal of account being compromised. Be sure to activate MFA for those users, as well as change the passwords for the successful logins from suspicious IPs.