Sign-ins from IPs that attempt sign-ins to disabled accounts

odweik 21 Reputation points
2022-01-09T13:55:46.667+00:00

Dear Team,

could you advise me what i have to do with this kind of alerts

Sign-ins from IPs that attempt sign-ins to disabled accounts

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
983 questions
Accepted answer
  1. Givary-MSFT 28,231 Reputation points Microsoft Employee
    2022-01-18T17:17:47.14+00:00

    @odweik :

    Sign-ins from IPs that attempt sign-ins to disabled accounts -- incident reported in sentinel.

    Reviewed the latest incident and investigated on the same, this incident is reported for only one user. Evaluated the Azure AD sign logs for the same and noticed the user has been disabled in Nov 2021 and also three devices are associated with the user account which are Azure AD registered.

    Action plan: Suggested to review the devices which are listed under the user account and investigate the same, delete the devices which are not in use by the user if those devices are used by multiple users check for inactive session/cached credentials for the deleted user ( user reported by sentinel incident ).

    Reference articles related to Azure Identity protection:

    https://azure.microsoft.com/en-in/services/active-directory/security/#features
    https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
    https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications

    If you have any other questions, please let me know.

    Thank you for your time and patience throughout this issue.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ravi Kanth Koppala 3,231 Reputation points Microsoft Employee
    2022-01-10T02:46:14.847+00:00

    @odweik ,

    I think we can use the Conditional Access feature to enforce this policy as it gives us the ability to enforce access requirements when specific conditions occur. For example, when any user is outside the company network then they're required to sign in with multi-factor authentication. In the same way, you can allow users to log in when they try to join from the trusted network.

    For more details, please read the articles -

    ----------

    (If the reply was helpful, please don't forget to upvote and accept as an answer, thank you)
    Ravi Kanth

    0 comments