This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 69%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi,
I am looking at a user account which is repeatedly getting failed login attempts with the "Authentication method detail: password in the cloud".
All my legitimate failed login attempts show as "forms authentication" as expected.
What does the authentication method "password in the cloud" imply/mean as it is not documented? Someone circumventing ADFS?
Thanks,
Ped
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi Ped, Can you please share a screenshot of the "password in the cloud" failed login attempt? I believe this is related to the user changing the password in the cloud when password writeback is not enabled, and in this case they'll need to synchronize the on-premises account with the cloud account. But I would like to see a screenshot of what you are seeing to confirm.
Hi Marilee,
Thanks for your reply, this is the only user getting hit with login attempts:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 61%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
What does the authentication method "password in the cloud" imply/mean as it is not documented?
The page https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http does not explain it.
Thanks
Hi @ped ,
I see in your screenshot that the Authentication Method Detail shows "password in the cloud" and "invalid username or password."
Based on the log at 2:24:52, the user is attempting to log into the Azure portal using only user name and password as the primary authentication method. The failure reason listed is that the user is entering the wrong credentials. The user might simply be entering the wrong credentials, or there could have been a password change in the cloud that was not written back on-premises.
The "password in the cloud" message is documented here: https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http
Let me know if this helps and if you have further questions.
Thanks,
Marilee
Hi Marilee,
Thanks for pointing this out.
What stands out to me though is that there is ADFS federation setup and I am unable to re-create login attempts via "password in the cloud". Instead it shows "forms authentication" as expected when I try to logon with this username.
I am curious on how to logon via password in the cloud as the login attempts in the screenshot are definitely malicious and not initiated by the user?
Are you using MSAL-node by chance? Do you get a different result when you log in using the portal vs CLI for Microsoft 365? I know there were some issues reported where this error was showing when users were logging in with CLI for Microsoft 365. I'm reaching out to the product team to see if they know why this might be happening, and whether this is a misleading error message or whether this could be a malicious attempt/ADFS bypass.
If the user has a valid refresh token or primary refresh token, the user won't need to go to ADFS. https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http
Hi Marilee,
Any access aside from Browser access is restricted via conditional access policy. All these random ip address logons are attempted via browser.
Having been targeted with many phishing emails recently, would it be possible some highjacked a user session and is authenticating somehow to azure directly?
I've reached out to the product team to check if that is possible, but I think the CA policy would have flagged the login as such.
Thanks for looking into this! Reviewing the signing logs under the conditional access tab shows "not applicable". We do have a number of conditional access policies that show under each of the other legitimate login attempts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 82%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC8%3C/text%3E%3C/svg%3E)
Following the link to the "List sign-ins" documentation, I see a couple of example responses that include "Password in the cloud" as an auth method, but no explanation of what that means. Do you have anything that explains what it means?