Interpreting Risky Sign-ins

Question

We have a conditional access policy set up that requires MFA when the sign-in risk is medium or high. We have been getting emails that state "user at risk detected" and the detail is almost always a risky sign-in from some oddball location with the "status" and "conditional access" columns both reading "Failure" (see screenshot). Am I correct in interpreting this as meaning that the sign-in attempt did indeed use the correct password and was then blocked by the MFA step? I just want to make sure that I'm doing the right thing by having these users change their password.

Answer 1

MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value.

Three Main Types of MFA Authentication Methods

Answer 2

Hi @Blake Hensley ,

I don't think there's enough info in the tab in your screenshot to say, but you can find out for sure by checking under Azure Active Directory > Sign-ins.

Find the event for the sign-in to review and filter by correlation ID, Conditional access, Username, date. Then you can go to the sign-in details to out which conditions were not satisfied.

If you still don't have enough info you can go to the Troubleshooting and Support tab and make a support request to find out more.

Alteratively if you check under Azure Active Directory > Sign-ins you may also be able to see the reason for the failure by checking the Basic Info or Troubleshooting tabs.