"suspicious" sign-ins to ACOM Azure Website

Question

"suspicious" sign-ins to ACOM Azure Website

ChrisPo 布錦聲 161

These "suspicious" sign-ins to ACOM Azure Website were being generated by our users from different countries. However, I didn't find such an application from Enterprise Application. Thus, How to prevent such suspicious sign-in?

Dillon Silzer 57,831 Reputation points Volunteer Moderator

2023-06-12T03:58:56.0766667+00:00

What does it say in those specific user's sign-in logs in Azure Active Directory? It should have some more details in those logs to which application it was trying to sign in through.
ChrisPo 布錦聲 161 Reputation points

2023-06-12T05:55:33.25+00:00

This appeared in Azure AD Sign-in logs with Activity Details: Sign-ins which included Application Id, Resource, Resource ID, Resource tenant ID, and home tenant ID. However, the user never raises such a request. Thus, I would like to stop/prevent such application sign-in. Thanks
ChrisPo 布錦聲 161 Reputation points

2023-06-12T05:58:39.1266667+00:00

This appeared in Azure AD Sign-in logs with Activity Details: Sign-ins which included Application Id, Resource, Resource ID, Resource tenant ID, and home tenant ID. However, the user never raises such a request. Thus, I would like to stop/prevent such application sign-in.

1 answer

Your answer

Dillon Silzer 57,831 Reputation points Volunteer Moderator

2023-06-12T03:58:56.0766667+00:00

What does it say in those specific user's sign-in logs in Azure Active Directory? It should have some more details in those logs to which application it was trying to sign in through.
ChrisPo 布錦聲 161 Reputation points

2023-06-12T05:55:33.25+00:00

This appeared in Azure AD Sign-in logs with Activity Details: Sign-ins which included Application Id, Resource, Resource ID, Resource tenant ID, and home tenant ID. However, the user never raises such a request. Thus, I would like to stop/prevent such application sign-in. Thanks
ChrisPo 布錦聲 161 Reputation points

2023-06-12T05:58:39.1266667+00:00

This appeared in Azure AD Sign-in logs with Activity Details: Sign-ins which included Application Id, Resource, Resource ID, Resource tenant ID, and home tenant ID. However, the user never raises such a request. Thus, I would like to stop/prevent such application sign-in.

Answer 1

Givary-MSFT 35,626 Microsoft Employee Moderator

@ChrisPo 布錦聲 Thank you for reaching out to us, ACOM application is a first party Microsoft application. Would request you to refer to this article - https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in on how to verify a first-party Microsoft service principal in your Azure AD tenant.

Once you review the sign in logs and find it suspicious, would recommend resetting the user password/set up conditional access policies which apps needs to be accessed based on the ip location/device/application/real time and calculated risk detection - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Let me know if you have any further questions, feel free to post back.

ChrisPo 布錦聲 161 Reputation points

2023-06-12T09:07:31.8366667+00:00

Thanks for your advice. The conditional access service to block regular users' access to Microsoft Azure Management has already been established a couple of months before. Is that enough to restrict the suspicious access, However, the suspicious access still appeared from Azure signs-in logs. Anyway, Thanks again.

Share via

"suspicious" sign-ins to ACOM Azure Website

1 answer

Your answer