question

peddy123 avatar image
0 Votes"
peddy123 asked Chris-Lonsberry commented

Failed logon attempts "password in the cloud"

Hi,

I am looking at a user account which is repeatedly getting failed login attempts with the "Authentication method detail: password in the cloud".
All my legitimate failed login attempts show as "forms authentication" as expected.

What does the authentication method "password in the cloud" imply/mean as it is not documented? Someone circumventing ADFS?


Thanks,
Ped

azure-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Ped, Can you please share a screenshot of the "password in the cloud" failed login attempt? I believe this is related to the user changing the password in the cloud when password writeback is not enabled, and in this case they'll need to synchronize the on-premises account with the cloud account. But I would like to see a screenshot of what you are seeing to confirm.

0 Votes 0 ·
peddy123 avatar image peddy123 MarileeTurscak-MSFT ·

Hi Marilee,

Thanks for your reply, this is the only user getting hit with login attempts:

178629-image.png


0 Votes 0 ·
image.png (50.5 KiB)

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered Chris-Lonsberry commented

Hi @peddy123,

I see in your screenshot that the Authentication Method Detail shows "password in the cloud" and "invalid username or password."

Based on the log at 2:24:52, the user is attempting to log into the Azure portal using only user name and password as the primary authentication method. The failure reason listed is that the user is entering the wrong credentials. The user might simply be entering the wrong credentials, or there could have been a password change in the cloud that was not written back on-premises.

The "password in the cloud" message is documented here: https://docs.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http

Let me know if this helps and if you have further questions.

Thanks,

Marilee

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Marilee,

Thanks for pointing this out.
What stands out to me though is that there is ADFS federation setup and I am unable to re-create login attempts via "password in the cloud". Instead it shows "forms authentication" as expected when I try to logon with this username.

I am curious on how to logon via password in the cloud as the login attempts in the screenshot are definitely malicious and not initiated by the user?

0 Votes 0 ·

Are you using MSAL-node by chance? Do you get a different result when you log in using the portal vs CLI for Microsoft 365? I know there were some issues reported where this error was showing when users were logging in with CLI for Microsoft 365. I'm reaching out to the product team to see if they know why this might be happening, and whether this is a misleading error message or whether this could be a malicious attempt/ADFS bypass.


0 Votes 0 ·

If the user has a valid refresh token or primary refresh token, the user won't need to go to ADFS. https://docs.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http

0 Votes 0 ·
peddy123 avatar image peddy123 MarileeTurscak-MSFT ·

Hi Marilee,

Any access aside from Browser access is restricted via conditional access policy. All these random ip address logons are attempted via browser.

Having been targeted with many phishing emails recently, would it be possible some highjacked a user session and is authenticating somehow to azure directly?

0 Votes 0 ·
Show more comments

Following the link to the "List sign-ins" documentation, I see a couple of example responses that include "Password in the cloud" as an auth method, but no explanation of what that means. Do you have anything that explains what it means?

0 Votes 0 ·