MS Authenticator unknown requests

Question

Recently I am getting ms authenticator requests, which I would obviously deny.

How do i find out where these attempts originated from?

What action can I take?

Thanks

Answer 1

Hi @BuddhikaCooray-2602,

If you are receiving unexpected Microsoft Authenticator approval requests, do not approve them unless you initiated the sign-in yourself.

To investigate the source of these attempts:

• For a personal Microsoft account, review your recent sign-in activity: What is the Recent activity page | Microsoft Support
• For a work or school account, review your sign-in history through My Sign-ins: View your work or school account sign-in activity from My Sign-ins | Microsoft Support

If you find any unfamiliar activity:

1. Change your password immediately.
2. Review and update your security information.
3. Sign out of any devices or sessions you do not recognize.

If this is a work or school account, contact your Microsoft 365 administrator. They can review Microsoft Entra sign-in logs to identify the source of the authentication attempts: Sign-in event details for Microsoft Entra multifactor authentication - Microsoft Entra ID | Microsoft Learn

Please let me know whether this is a personal Microsoft account or a work/school account, and I can help to provide more specific guidance.

Answer 2

Unrequested Microsoft Authenticator prompts usually mean somebody (or something) is trying to sign in with that account, or a delayed/accidental request reached the device.

What is happening

• Unrequested prompts can occur when:
  1. Someone is trying to access the account.
  2. Someone accidentally entered the account’s email/phone while signing in.
  3. A prompt that was legitimately requested earlier is delayed and arrives later.
• As long as Deny is selected for any request that was not initiated, the sign-in attempt cannot complete and the account remains protected.

How to see where attempts are coming from

1. For work or school accounts, use My Sign-ins:
   • Go to the My sign-ins page and review recent sign-in activity.
   • Look for unsuccessful sign-ins and check details such as location, app, and operating system.
   • If an item shows “Additional verification failed, invalid code”, it means the password was correct but the second factor (Authenticator) failed, which often indicates an attacker guessed or obtained the password but could not pass MFA.
2. For personal Microsoft accounts, use the Recent activity page:
   • Review the Recent activity section for sign-ins or “Additional verification requested” events.
   • This page shows significant events (new sign-ins, security changes, extra verification requests) with approximate location and device information.

Recommended actions

1. Always deny any Authenticator prompt not explicitly initiated.
2. Change the account password if:
   • There are unsuccessful sign-ins that are not recognized, or
   • There are events where primary sign-in succeeded but additional verification failed.
3. Strengthen sign-in security:
   • Ensure multi‑factor authentication is enabled.
   • Consider going passwordless (for work/school accounts) using methods such as Microsoft Authenticator, Windows Hello, SMS/Email codes, or security keys. Passwordless sign-in reduces risk from guessed or stolen passwords.
4. Monitor activity regularly:
   • Periodically review My sign-ins (work/school) or Recent activity (personal) and confirm or secure any unusual events.

If unrequested verification codes (SMS/email) are also received, do not respond to them; without the correct response, the attacker cannot complete sign-in.

---

References:

• Using Outlook mobile to sign in
• Common problems with two-step verification for a work or school account
• View your work or school account sign-in activity from My Sign-ins
• What is the Recent activity page?