High amount of failed/interrupted logins for single user

Kristian Sanchez 0 Reputation points
2023-03-20T21:15:27.6533333+00:00

Hi all:

This tenant is all Microsoft 365 E5.

Azure AD logs are showing consistent failed/interrupted logins for one particular user - to the tune of about 2000 per week. All of them appear to come from Edge from the users Win10 PC - these are all things like Windows Search, Bing, Edge, etc.

We've had the user sign out and back in, as well as deleted all of the possibly expired refresh tokens in their "Manage Network Passwords" control panel, but their sign-in logs are flooded with interrupted logins.

This user is the only one who is experiencing this type of issue. How do we identify what is causing this issue so that our SIEM isn't flooded with these login attempts?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,089 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,056 Reputation points Microsoft Employee
    2023-03-22T23:16:09.32+00:00

    Hi @Kristian Sanchez ,

    If you check the sign-in logs under Azure Active Directory > Sign-ins log , you can check for the Failure Reason or interrupt reason in the Basic Info section.

    User's image

    If it seems like this does not match the user's behavior and you suspect there might be login attempts from attackers, you can apply conditional access policies to block certain geographic locations where you do not have staff. You can also apply sign-in risk policies to block users who are detected as having high or medium risk associated.

    Another possibility is that you have have legacy protocols enabled (SMTP, POP), in which case the best practice is to disable them.

    If you are using MS Authenticator, an extra protection would be to enable the context feature with number matching with that shows where the request is coming from and prompts the user to match the two digit code on the screen.

    User's image

    Let me know if this helps. If it's only one user it seems like it could be an attack attempt.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.