Successful logins may be a signal of account being compromised. Be sure to activate MFA for those users, as well as change the passwords for the successful logins from suspicious IPs.
Suspicious logins to Azure CLI with Python request User Agent
Hi!
We regulary have this kind of logins in our environment (Large, mostly Students). Both, successful and failed logins:
Details from Defender for Cloud:
"ApplicationId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ApplicationName": "Microsoft Azure CLI",
"Call": "OAuth2:Token",
"Client": "[x-client-sku, MSAL.Python];[x-client-ver, 1.20.0];[x-client-cpu, x86];[x-client-os, win32]",
"CorrelationId": "XXX",
"DeviceInfo": ";;Python Requests 2.26;",
…
}
Are there any legitimate use cases for a third party (not the user himself) to produce such logs?
I'm asking, because the source IP addresses are registered to Microsoft most of the time:
{
"ip": "20.170.20.146",
"city": "Frankfurt am Main",
"region": "Hesse",
"country": "DE",
"loc": "50.1025,8.6299",
"org": "AS8075 Microsoft Corporation",
"postal": "60326",
"timezone": "Europe/Berlin",
"readme": "https://ipinfo.io/missingauth"
}
Thanks for your input! Christian
2 answers
Sort by: Most helpful
-
Denis Mello 0 Reputation points Microsoft Employee
2023-01-20T23:18:51.7966667+00:00 -
Hoder Jensen 0 Reputation points
2023-05-30T13:04:54.93+00:00 Hi Christian,
Did you ever find a good reason for this type of activity? We are seeing similar, also on some of our students. At first I suspected it was compromised accounts, but now I'm not so sure, considering the amount we suddenly get. Plus the fact IP's are indeed from Microsoft, also we are suddenly seeing failure logins on accounts, where they have NOT changed their password.
We do plan on activating MFA for our students, but it's still some months away.