Suspicious logins to Azure CLI with Python request User Agent

Bartsch, Christian 20 Reputation points
2023-01-18T10:53:55.94+00:00

Hi!

We regulary have this kind of logins in our environment (Large, mostly Students). Both, successful and failed logins:

User's image

Details from Defender for Cloud:

  "ApplicationId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
  "ApplicationName": "Microsoft Azure CLI",
  "Call": "OAuth2:Token",
  "Client": "[x-client-sku, MSAL.Python];[x-client-ver, 1.20.0];[x-client-cpu, x86];[x-client-os, win32]",
  "CorrelationId": "XXX",
  "DeviceInfo": ";;Python Requests 2.26;",

…
}

Are there any legitimate use cases for a third party (not the user himself) to produce such logs?

I'm asking, because the source IP addresses are registered to Microsoft most of the time:

{
  "ip": "20.170.20.146",
  "city": "Frankfurt am Main",
  "region": "Hesse",
  "country": "DE",
  "loc": "50.1025,8.6299",
  "org": "AS8075 Microsoft Corporation",
  "postal": "60326",
  "timezone": "Europe/Berlin",
  "readme": "https://ipinfo.io/missingauth"
}

Thanks for your input! Christian

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
931 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,720 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Denis Mello 0 Reputation points Microsoft Employee
    2023-01-20T23:18:51.7966667+00:00

    Successful logins may be a signal of account being compromised. Be sure to activate MFA for those users, as well as change the passwords for the successful logins from suspicious IPs.

    0 comments No comments

  2. Hoder Jensen 0 Reputation points
    2023-05-30T13:04:54.93+00:00

    Hi Christian,

    Did you ever find a good reason for this type of activity? We are seeing similar, also on some of our students. At first I suspected it was compromised accounts, but now I'm not so sure, considering the amount we suddenly get. Plus the fact IP's are indeed from Microsoft, also we are suddenly seeing failure logins on accounts, where they have NOT changed their password.

    We do plan on activating MFA for our students, but it's still some months away.

    0 comments No comments