blocked signed in due to IP. What about password?

Shimshey Rosenberg 21 Reputation points
2019-12-09T15:17:47.793+00:00

When seeing a blocked sign in that says "Failure reason
Sign-in was blocked because it came from an IP address with malicious activity."
Does this mean that they used the correct password and were blocked after entering the password? Or that they were blocked before having a chance to enter the password?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,819 questions
0 comments No comments
{count} votes

9 answers

Sort by: Most helpful
  1. Shimshey Rosenberg 21 Reputation points
    2019-12-17T16:30:05.267+00:00

    Lot's of back and forth with Microsoft Support, reviewing logs and more.
    Apparently, @AmanpreetSingh-MSFT and @KAREDD-MSFT were answering according to some outdated documentation in the best case.

    My current understanding on this subject is that this error message does not mean that anyone used the correct password.
    These are most likely brute-force attempts. They would run some legacy authentication methods where they send the username and password at once.
    Microsoft evaluates all sign ins coming in to any Microsoft directory. When an IP has X amount of failed usernames and/or passwords, Microsoft would than flag the IP as malicious and then block the sign-ins no matter if the password matches or not. Error 50053 has two definitions.

    • Sign-in was blocked because it came from an IP address with malicious activity.
    • Account is locked because user tried to sign in too many times with an incorrect user ID or password.

    The second one is actually the definition currently publicized in the official documentation, but both of the above reasons use the same ID.

    You won't always see an error prior to seeing that "Sign-in was blocked because it came from an IP address with malicious activity." and this is due because that IP address was flagged prior to trying your tenant/account.

    These of course is solely my opinion and it is unfortunate to see "Microsoft Employees" (according to their profile here) are answering questions with incorrect information.

    Additionally, I am completely disappointed why I had to go in circles with Microsoft support and simply have to "prove" them that the answers they are providing me can't be true.

    --
    The above is solely my understanding on this matter and I felt like posting it simply for others that stumble in to this to understand what's going on.

    3 people found this answer helpful.
    0 comments No comments

  2. KAREDD-MSFT 406 Reputation points Microsoft Employee
    2019-12-09T17:05:30.52+00:00

    @Hashim Siddiqui Azure will not perform these checks until the user enters the password. They will be blocked after entering the credentials. If you are seeing this error it most likely means that the user entered the correct password and was blocked because of the IP address.

    I will confirm this with the product group and will update the thread as soon as possible.

    1 person found this answer helpful.
    0 comments No comments

  3. AmanpreetSingh-MSFT 56,316 Reputation points
    2019-12-09T17:10:13.26+00:00

    The message "Failure reason
    Sign-in was blocked because it came from an IP address with malicious activity.
    " will be displayed only after correct password is entered from a malicious IP address.

    If incorrect password is entered, user will get "Your account or password is incorrect. If you don't remember your password, reset it now." message. The sign-in risk will not be detected in this case.

    -----------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

  4. AmanpreetSingh-MSFT 56,316 Reputation points
    2019-12-20T07:21:22.843+00:00

    @Shimshey Rosenberg I still DISAGREE with your opinion.

    If you enter incorrect password, it will fail due to credential validation failure not because of sign-in risk.

    Not sure which sign-in logs you are referring to, the correct place to confirm this is Azure AD Identity Protection > Risk Detections. If you are looking into sign-in events for the user account under Azure AD > Users > Sign-ins, it will include all attempts which are failed due to risk or invalid credentials. This confirms that the attempts with only correct credentials are considered as risky sign-ins.

    You can test this by installing Tor Browser in a test machine, make a valid sign-in attempt and another attempt with incorrect password. Check Azure AD Identity Protection > Risk Detections, you will see only one attempt which was made with correct credentials. This will confirm the behavior is as per my initial response on this thread.

    Please share the result of the test and unmark your answer as Accepted as that might mislead others in the community.

    1 person found this answer helpful.
    0 comments No comments

  5. Sandy Jiang 6 Reputation points
    2021-10-15T21:24:31.293+00:00

    @Shimshey Rosenberg We state the following in our documentation:
    The IP can be blocked due to malicious activity from the IP address. The IP blocked message does not differentiate whether the credentials were correct or not. If the IP is blocked and correct credentials are not used, it will not generate an Identity Protection detection

    https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/troubleshooting-identity-protection-faq#why-was-my-sign-in-blocked-but-identity-protection-didnt-generate-a-risk-detection

    A sign-in with both correct and incorrect credentials can be blocked due to IP malicious activity. In the Authentication Details of the sign-in you will be able to see if the correct or incorrect password was entered.

    1 person found this answer helpful.
    0 comments No comments