Risky Sign-in

Handian Sudianto 3,316 Reputation points


On the Risky sign-ins i can see one user can be located on several countries in a few times.

Is the account already compromises? Also what different 'Interrupted' and 'Failure' on the status?

What can we do to prevent this or to increase the security?

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,516 questions
{count} votes

Accepted answer
  1. Andreas Baumgarten 77,641 Reputation points MVP

    Hi @Handian Sudianto ,

    my interpretation of failure and interrupted sign-ins is:

    "Failure" means for instance wrong username/password combination.

    "Interrupted" means the authentication process is stopped because of a Conditional Access rule. For instance sign-in from a country that is not allowed by a Conditional Access rule. The conditional Access rule blocks/interrupts the authentication process.

    Based on your screenshot the rating if the account is already compromised depends on if you get successful and failed sign-ins with an existing username in consideration of location. In the case of failed sign-ins the username is "known" but maybe the password is unknown.

    If you get successful sign-ins by the same user from different locations within a short of time that aren't realistic I would assume the account is compromised or at least suspicious if e.g. there is no VPN connection between the 2 locations. For instance successful sign-ins from the same user in San Francisco and New York within 5 minutes.

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)


    Andreas Baumgarten

0 additional answers

Sort by: Most helpful