![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 22%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 3%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Those notifications are most likely real sign-in attempts where someone is trying to access the account, but they are being blocked by multi-factor authentication (MFA) before they complete, which is why they do not always appear as normal successful sign-ins in the activity log.
Key points and what to do:
- Treat every unexpected sign-in prompt as a possible attack
- Do not approve any sign-in notification that was not initiated personally.
- This matches the guidance to never respond to sign-in prompts that were not requested and to review recent activity if anything looks suspicious.
- Check recent sign-in and security activity
- For a personal Microsoft account, go to the Recent activity page or the Security basics page and select Review activity. Look for:
- Unusual activity detected
- Incorrect password entered
- Any Successful sign-in or Permission given to an application that is not recognized.
- If any event is clearly not from you, use This wasn’t me or Secure your account where available, and follow the guided steps.
- For a personal Microsoft account, go to the Recent activity page or the Security basics page and select Review activity. Look for:
- Understand why they may not show as normal sign-ins
- If someone has the username but not the second factor, they can:
- Trigger MFA prompts that are declined.
- Generate unsuccessful sign-in or additional verification failed events rather than full “Successful sign-in” entries.
- The documentation notes that unsuccessful sign-ins or failed additional verification can indicate an attacker guessing the password or failing MFA.
- If someone has the username but not the second factor, they can:
- Strengthen the account further
- Since the password has already been changed, also:
- Ensure two-step verification/MFA is enabled and working on trusted devices only.
- Review and update security info (phone numbers, alternate emails, authenticator methods) from the Security basics or Security info pages and remove anything unfamiliar.
- Consider removing all trusted devices and re-adding only personal devices from the Security settings page.
- Since the password has already been changed, also:
- Continue monitoring
- Regularly review Recent activity / My sign-ins to confirm that:
- Locations, devices, and apps match expected usage.
- No new unusual activity appears.
- If repeated prompts continue and suspicious activity is seen, follow the Secure your account flow and keep MFA enabled.
- Regularly review Recent activity / My sign-ins to confirm that:
These steps align with Microsoft’s guidance: unexpected sign-in attempts plus MFA prompts usually indicate someone is trying to access the account, but MFA is successfully blocking them. The correct response is to deny all unknown prompts, review recent activity, and keep security info and MFA methods up to date.
References: