can someone tell me where to look to see if a risky sign in used the correct password ?
background:
I have conditional access enabled on all users and all apps when the sign in is initiated from a IP not in my trusted locations. Works good
I just got an email alert about a high risk sign in. and confirmed that user was not at that IP at all. So we did a password reset just in case.
When i look at the sign-in logs, and go to the event at hand. i go to the authentication details tab. and in there all i see is this.
which i dont really understand why there is 2 entries. But i don't understand what exactly the first one means. Does that mean that the password the potential hacker tried to use was correct and then mfa stopped them. or is it saying that the password failed ?
I just want to know if the password they used was correct or not. as on the "password" authentication detail entry, it says false. but then says it is because MFA failed. But the MFA authentication is it's own authentication method. - which is why i assumed there is 2 entries on the details tab. 1 is for password and the other is for mfa. so if the password that was used was correct, i would assume it would say TRUE. then on the second entry for MFA, it would then say false there.
then I tested this and went to azure as myself and did the wrong password 2-3 times. and sure enough. i get a
wouldn't it make a lot more sense. and be more logical in the case of a comprised password. that if someone malicious tried to log in and did have the correct password. the first entry on authentication details would say TRUE . and then the next entry down, it would say MFA failed ? as there is already is a second entry if on the details.
the password is its own method. so the failure of MFA shouldn't set that to false if the right password was entered. Logically at least that makes more sense to me. when i see authentication method= password and succeeded=FALSE, immeditaly think "ok the password failed" but thats not true at all is it ? if the result says= user did not pass the mfa challenge. thats perfectly fine. but why would msft not put that on the next entry down. so that if the right password was used it would say TRUE. and then the next entry down would say authentication method=MFA, suucceded=FAILED REsultDetail= User did not pass the mfa challenge.
i even downloaded the full log file and it says false there too and then this:
which really throws me off because in in auth detail log tab on the "password" entry it says "User did not pass the MFA challenge (non interactive)."
but 1. password is a INTERACTIVE login. and 2. becuae the ResultDetail= user did not pass the mfa challenge (non-interactive) i was looking at the Non-interactive logs and couldn't find it. because it is a INTERACTIVE login. Why would you EVER reference a non-interactive login in a INTERACTIVE login audit entry???? that literally makes no sense.
so when a password login fails when the CORRECT password is used, but MFA stopped it. it marks the "password" event as false and then puts in the result details (non interactive) that literally makes no sense and is incredibly confusing.
so there is literally no where i can look that will say- password= true mfa=false, when the right password is used but mfa stopped the login.
is that correct ? and if so. why? lol
take for example when i do successfully login with password and MFA
in this case password says true, and then the next one down says true. But when i type in the wrong password. it changes them both to FALSE. but that is not true. Even if you marked password as TRUE but then stull put under the resultDetails=user did not pass the mfa challenge. that would make more sense than marking the password method as false when MFA fails. the only way i was able to figure this out was to verify what happens if i type in the wrong password and check the logs. and then basically just assume the correct password was used if it says false but then says user did not pass the mfa challenge.
this seems like a very elementary thing to fix. but the logic on this is just completely broken.
I hope this all makes sense and someone can give me some insight.