Azure Sign-in logs - Should I be concerned?

Question

We are in Australia. We have conditional access rules, including block all countries that are not Australia. We are currently getting hit hard from Uzbekistan.

It is comforting to see all access to 365 resources have failed. But one thing worries me - Why (and how) is the Windows Sign-in marked as Success. What does this mean in terms of access. Has our security been breached???

Answer 1

Hello @Mike Fairley

Thank you for reaching out. There is nothing to worry about. I would like to confirm that this might be due to an recent incident which was reported on Azure AD where incorrect geo-location tags were reflecting for some IP's in Asia-Pacific Region. The issue is already resolved and Root cause of the issue would be published by 2023-03-30. For more details you can refer following incident reports:

• Office Admin Center: https://admin.microsoft.com/Adminportal/Home#/servicehealth/history/:/alerts/MO531859
• Azure AD Portal: https://app.azure.com/h/WN_2-VP8/044bf2

I hope this answer helps to resolve your issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well

Answer 2

Hello,

It seems very possible that this is because of the recent issue with Azure Geolocation missplacement, but since only single-factor authentication appears as Success, I would recommend to:

Cautelar AAD Lockout of the problematic Account(s) if the access is suspicious.

Implement MFA (With Windows Hello, for instance) to ensure the security of access to Azure:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

--If the reply is helpful, please Upvote and Accept as answer--