high risk login details - very confused.

ExecuteRestart66 21 Reputation points
2021-08-20T19:04:55.083+00:00

can someone tell me where to look to see if a risky sign in used the correct password ?

background:

I have conditional access enabled on all users and all apps when the sign in is initiated from a IP not in my trusted locations. Works good

I just got an email alert about a high risk sign in. and confirmed that user was not at that IP at all. So we did a password reset just in case.

When i look at the sign-in logs, and go to the event at hand. i go to the authentication details tab. and in there all i see is this.

125142-image.png

which i dont really understand why there is 2 entries. But i don't understand what exactly the first one means. Does that mean that the password the potential hacker tried to use was correct and then mfa stopped them. or is it saying that the password failed ?

I just want to know if the password they used was correct or not. as on the "password" authentication detail entry, it says false. but then says it is because MFA failed. But the MFA authentication is it's own authentication method. - which is why i assumed there is 2 entries on the details tab. 1 is for password and the other is for mfa. so if the password that was used was correct, i would assume it would say TRUE. then on the second entry for MFA, it would then say false there.

then I tested this and went to azure as myself and did the wrong password 2-3 times. and sure enough. i get a

125069-image.png

wouldn't it make a lot more sense. and be more logical in the case of a comprised password. that if someone malicious tried to log in and did have the correct password. the first entry on authentication details would say TRUE . and then the next entry down, it would say MFA failed ? as there is already is a second entry if on the details.

the password is its own method. so the failure of MFA shouldn't set that to false if the right password was entered. Logically at least that makes more sense to me. when i see authentication method= password and succeeded=FALSE, immeditaly think "ok the password failed" but thats not true at all is it ? if the result says= user did not pass the mfa challenge. thats perfectly fine. but why would msft not put that on the next entry down. so that if the right password was used it would say TRUE. and then the next entry down would say authentication method=MFA, suucceded=FAILED REsultDetail= User did not pass the mfa challenge.

i even downloaded the full log file and it says false there too and then this:

which really throws me off because in in auth detail log tab on the "password" entry it says "User did not pass the MFA challenge (non interactive)."

but 1. password is a INTERACTIVE login. and 2. becuae the ResultDetail= user did not pass the mfa challenge (non-interactive) i was looking at the Non-interactive logs and couldn't find it. because it is a INTERACTIVE login. Why would you EVER reference a non-interactive login in a INTERACTIVE login audit entry???? that literally makes no sense.

so when a password login fails when the CORRECT password is used, but MFA stopped it. it marks the "password" event as false and then puts in the result details (non interactive) that literally makes no sense and is incredibly confusing.

so there is literally no where i can look that will say- password= true mfa=false, when the right password is used but mfa stopped the login.

is that correct ? and if so. why? lol

take for example when i do successfully login with password and MFA
125090-image.png

in this case password says true, and then the next one down says true. But when i type in the wrong password. it changes them both to FALSE. but that is not true. Even if you marked password as TRUE but then stull put under the resultDetails=user did not pass the mfa challenge. that would make more sense than marking the password method as false when MFA fails. the only way i was able to figure this out was to verify what happens if i type in the wrong password and check the logs. and then basically just assume the correct password was used if it says false but then says user did not pass the mfa challenge.

this seems like a very elementary thing to fix. but the logic on this is just completely broken.

I hope this all makes sense and someone can give me some insight.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,065 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ExecuteRestart66 21 Reputation points
    2021-08-20T19:12:49.763+00:00

    this is 1000% how it should look. and why it doesnt, is so far beyond me and honestly kind of annoying. i cant be the only person who feels this way. There is ZERO reason why password method should show FALSE if MFA failed. it should look like this below. there honeslty is no logical reason i can think of as to why it doesnt. and i hope someone sees this and fixes it soon instead of waiting a year. This to me tells me that auditing reports cannot be relied on, and is such a security risk. I as an IT admin need to be able to know if the correct password was used but mfa failed. so that i can judge if this is a comprimise or not. or even if a user is just typing their password in wrong.

    ill say it again. failed MFA should not mark Password authentication method as false. EVER.

    125124-image.png


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.