Interpreting Risky Sign-ins

Blake Hensley 1 Reputation point
2021-01-22T21:50:01.457+00:00

We have a conditional access policy set up that requires MFA when the sign-in risk is medium or high. We have been getting emails that state "user at risk detected" and the detail is almost always a risky sign-in from some oddball location with the "status" and "conditional access" columns both reading "Failure" (see screenshot). Am I correct in interpreting this as meaning that the sign-in attempt did indeed use the correct password and was then blocked by the MFA step? I just want to make sure that I'm doing the right thing by having these users change their password.

59721-sign-in-attempt.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. M HARISH AND ASSOCIATES 1 Reputation point
    2021-01-22T21:54:22.287+00:00

    MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value.

    Three Main Types of MFA Authentication Methods


  2. Marilee Turscak-MSFT 34,786 Reputation points Microsoft Employee
    2021-01-22T22:40:02.943+00:00

    Hi @Blake Hensley ,

    I don't think there's enough info in the tab in your screenshot to say, but you can find out for sure by checking under Azure Active Directory > Sign-ins.

    Find the event for the sign-in to review and filter by correlation ID, Conditional access, Username, date. Then you can go to the sign-in details to out which conditions were not satisfied.

    59639-image.png

    59619-image.png

    If you still don't have enough info you can go to the Troubleshooting and Support tab and make a support request to find out more.

    59620-image.png

    Alteratively if you check under Azure Active Directory > Sign-ins you may also be able to see the reason for the failure by checking the Basic Info or Troubleshooting tabs.

    59699-image.png

    0 comments No comments