tracking failed authentication back to PC

LS9287467 1 Reputation point
2020-06-17T14:18:26.813+00:00

I have a user that is failing authentication to exchange online and I'm seeing the attempts in AAD sign in logs. The user isn't experiencing any issues on the PC they are currently using so I believe another system is the issue. The main issue is that the AAD log only shows the the IP of my public IP and not the IP of the PC where failed auth is originating from. Does anyone know of a way to correlate a failed AAD auth back to the PC it originated from in this scenario? Are there any local logs on the PC that i could query that would also say an auth failed (I have ability to get windows event logs and other local logs)?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,537 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Manu Philip 17,351 Reputation points MVP
    2020-06-17T14:28:20.25+00:00

    Hello,

    AAD sign-in report is available. Hope, that helps.

    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins#sign-ins-report

    Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

    Regards,

    Manu


  2. Shane Townsend 1 Reputation point
    2020-06-19T09:45:24.083+00:00

    If you have concerns about unauthorized logins, you could improve your security by setting up multi-factor authentication for your users.

    Dealing with high number of failed log on attempts from foreign countries utilizing Exchange Online:
    https://techcommunity.microsoft.com/t5/exchange/dealing-with-high-number-of-failed-log-on-attempts-from-foreign/m-p/91325

    Audit activity reports in the Azure Active Directory portal:
    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

    You can also try, Lepide Azure AD Auditor - to spot when a large number of failed logons are occurring which could indicate a brute force attack.

    0 comments No comments