Good morning @AmanpreetSingh-MSFT
Sorry for my delayed response, but I was out of the office on Friday.
First off, I am unable to view the “risk detections” as my subscription does not provide me access to it. I can only see the Azure AD > Users > Sign-Ins. All the comments I have made above in regards to logs are from these logs only.
I have seen logs mentioning invalid credentials, but this did not change my view on this.
I will take a moment and assume you are right (not that you are, but building on that), and try to figure out some things. But first, let's summarize what we are seeing in the logs – assuming you are right.
- A tenant with 150 mailboxes with Azure AD Connect installed for password sync
- For 70+ users logs are indicating (again, according to you) that someone somewhere tried to gain access using the correct credentials [Question: How do they have the credentials?]
- All users are forced to change their local AD password, with password policies restricting them from reusing the same passwords as in the past. [Effectively updating the Azure password]
- Sign-in attempts did not stop. They are still using the correct passwords (according to you)
The BIG question: How are “they” getting the correct password?
At this time, I have some possible answers;
- Some form of keylogger on ALL on-premises systems (likelihood: low)
- Some form of zero-day exploit to AD or AAD Connect that they can retrieve passwords from (likelihood: ???)
- Some method of accessing Microsoft’s password database AND reverse engineer it (likelihood: low)
While I am still weighing these three possible answers (there may be more possibilities, but these are the ones that I was able to come up with...) I saw some “Azure Only” accounts that are not on-prem synced are also being flagged with the same sign in attempts, which according to you, someone has their password.
So, option 2 above is out of the question. Simply, there is no local AD account for those users, so I moved on to eliminate option 1 (keylogger) by changing those passwords on mobile (different type of device and different network), And guess what, although these accounts were not accessed by “anyone” and no one besides me knew their passwords, were still being flagged!
Now, I think that I have successfully eliminated all options besides option 3, effectively leaving me with one option from the list above; they somehow can get all passwords from Microsoft directly and reverse engineer the passwords.
Due to many reasons, I find it highly unlikely, therefore giving me only one other option, which is that “this error message does NOT mean that anyone tried using the correct password”
--
If you still disagree with me please reply in detail why you do
All the best, Shimshey