Multiple Single-factor authentication failures from what seems to be a compromised users

Question

I have noticed in the past month about 900 failed sign in's from what I guess are compromised usernames. They are all reporting as failed, Password in the cloud, password incorrect.

So I guess these are all brute force attempts, they are recorded as from all over the world, we use ADFS in our tenant and have no write back or password sync/hash in the cloud. All these attempts are single factor and obviously fraudulent.

They are not recorded in risky sing in's or risky user's , I just happened to be looking at the sign in logs when i saw them.

Is that normal behavior? that they are not logged or reported on?

Thanks

Eric

Answer 1

@Daoust, Eric Thank you for reaching out to us, As I see you are trying to investigate failed sign in attempts for the users in the federated environment ( ADFS).

Just wanted to check if you have got a chance to review this article which talks about securing AD FS against password attacks - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-password-protection#:~:text=of%20their%20account.-,Securing%20AD%20FS%20against%20password%20attacks,-But%20by%20taking

Let me know if you have any further questions.

Answer 2

hi @Givary-MSFT , That article was for ADFS, what about for Azure Entra? eg. if you're looking at Azure Entra > Security > Authentication Methods: Monitoring > Activity > Usage - and you click on the graph sections for 'single sign-in events' - you will see all activity for single sign in activity. Likely most of these events will show a flood of sign in failures. If so, is your recommendation to enable the MFA Identity Protection Policy in blocking mode, or something else?

Thanks very much.