Interpreting Risky Sign-ins

Blake Hensley 1 Reputation point

We have a conditional access policy set up that requires MFA when the sign-in risk is medium or high. We have been getting emails that state "user at risk detected" and the detail is almost always a risky sign-in from some oddball location with the "status" and "conditional access" columns both reading "Failure" (see screenshot). Am I correct in interpreting this as meaning that the sign-in attempt did indeed use the correct password and was then blocked by the MFA step? I just want to make sure that I'm doing the right thing by having these users change their password.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. M HARISH AND ASSOCIATES 1 Reputation point

    MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value.

    Three Main Types of MFA Authentication Methods

  2. Marilee Turscak-MSFT 34,786 Reputation points Microsoft Employee

    Hi @Blake Hensley ,

    I don't think there's enough info in the tab in your screenshot to say, but you can find out for sure by checking under Azure Active Directory > Sign-ins.

    Find the event for the sign-in to review and filter by correlation ID, Conditional access, Username, date. Then you can go to the sign-in details to out which conditions were not satisfied.



    If you still don't have enough info you can go to the Troubleshooting and Support tab and make a support request to find out more.


    Alteratively if you check under Azure Active Directory > Sign-ins you may also be able to see the reason for the failure by checking the Basic Info or Troubleshooting tabs.


    0 comments No comments