Prevent Unauthorized Access even with MFA in place

200kWJ 0 Reputation points
2024-05-29T14:57:18.9733333+00:00

Several weeks ago we had a unauthorized user gained access to an client account via the web. Change over plans for MFA were advanced and users setup with little to fanfare using Microsoft Authentication App. Same user contacts me with issue of not receiving email. Found unauthorized access from a country in Africa with MFA successful and new rule created. Removed rule and continued to investigate. While looking into ways of blocking access from outside the US, another unauthorized access is performed this time from New York/New Jersey. Account is now locked down. Now what?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,446 questions
{count} votes

1 answer

Sort by: Most helpful
  1. William Nieto 535 Reputation points
    2024-05-29T15:08:41.8866667+00:00

    I'm sorry to hear about the unauthorized access to the client account. It’s essential to take immediate action to secure the account further. Here are the steps you can follow:

    Immediate Actions

    Review Security Settings:

    Ensure MFA is correctly configured for all users.

    Verify the Microsoft Authentication App is the only approved MFA method.

    Implement conditional access policies to restrict access based on location or device compliance.

    Investigate Further:

    Analyze logs for patterns or anomalies.

    Look for signs of compromised credentials or unusual activity.

    Lock Down the Account:

    Change the account password immediately.

    Disable any suspicious rules or settings.

    Monitor the account closely for additional unauthorized access.

    Communicate with the User:

    Inform the affected user about the breach.

    Advise them to update their password and review their account activity.

    Enhance Security Measures

    Implement IP-Based Restrictions:

    Restrict access to specific regions (e.g., the US) through conditional access policies.

    Regular Security Reviews:

    Regularly review and update security policies.

    Schedule periodic security assessments and penetration tests.

    Involve IT Security Team:

    Ensure your IT security team is involved in the investigation and remediation.

    Consult cybersecurity professionals for advanced threat detection and response.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.