Azure: Sign-in was blocked due to real-time detection rule(s): TI_RT_0015

PARR Shaun 5 Reputation points
2023-07-12T16:21:57.0566667+00:00

Hi,

We have recently reset the passwords and advised Microsoft of some compromised accounts which were flagged to us in the 'Risky Users' section of Microsoft Azure. Subsequently, some of these users have then had further malicious login attempts which have failed, even if the password was entered correctly, and the given reason under the 'Authentication Details ---> Result Detail' section is "Sign-in was blocked due to real-time detection rule(s): TI_RT_0015".

What does this rule mean and when it is activated? Is it connected to the fact that we have flagged the user account as being compromised in the Risky User section?

Many thanks.

Shaun

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,618 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Shweta Mathur 25,306 Reputation points Microsoft Employee
    2023-07-13T06:12:23.68+00:00

    Hi @PARR Shaun ,

    Thanks for reaching out.

    The TI_RT_0015 detection targets a password spray attack identified by Microsoft's threat intelligence and blocks sign-ins attributed to that attack.

    There might be reason as the user account as being compromised in the Risky User section, Micrsoft' threat intelligence detected this as the risk. This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous sign-ins, and triggers risk detection when a sign-in occurs with properties that are unfamiliar to the user.

    I am checking on this with the product team to confirm you further.

    Thanks,

    Shweta

    0 comments No comments