Share via

How to Mitigate a Past Employee Continuously Trying to Login From All Over the World.

LM-5132 80 Reputation points
2024-08-02T16:37:03.8033333+00:00

I have noticed multiple interactive sign-in attempts from a former employee's account originating from various locations around the world. These attempts suggest that the email may have been compromised and is likely being used by a bot. Although the user account is currently disabled, it is still in our system as we may need the former employee to work for us in the future. The failed attempts occur one to three times a day. The attempts occur almost daily. We have MFA required by all users via the Authenticator App.

I am considering adding a "#" in front of the user's principal name, effectively changing the email address associated with the account to prevent unauthorized sign-in attempts. Do you think adding the "#" is a good way to mitigate this issue and get rid of the excess log data?

Additionally, when a user account is disabled, is the user's email also made inactive? I believe that it is.

I am looking for strategies to prevent these sign-in attempts while retaining the user's information in the system. Any suggestions would be greatly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,812 questions
0 comments
Accepted answer
  1. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2024-08-02T23:33:58.26+00:00

    Hi @LM-5132

    Thanks for reaching out to Microsoft Q&A

    For Entra ID, UPN change does not affect anything related to the user sign in. It might bring some impact on applications that rely on UPN though, the link below has more information about UPN changes and warnings about it:

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/howto-troubleshoot-upn-changes#saas-and-lob-apps-issues

    Unfortunately, there's no way to avoid a user to try to sign in with Entra ID integrated application with a valid and existent user account. If you suspect that the account is already compromised, perhaps you should consider deleting it and creating a new one, but renaming the account is a feasible workaround too.

    Thanks,

    Fabio

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2024-08-06T22:55:27.12+00:00

    Hi @LM-5132

    Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Thanks,

    Fabio

    0 comments
  2. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2024-08-08T23:33:54.87+00:00

    Hi @LM-5132

    Just checking in to see if the above answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Thanks,

    Fabio

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.