question

ShimsheyRosenberg avatar image
0 Votes"
ShimsheyRosenberg asked ·

blocked signed in due to IP. What about password?

When seeing a blocked sign in that says "Failure reason
Sign-in was blocked because it came from an IP address with malicious activity." Does this mean that they used the correct password and were blocked after entering the password? Or that they were blocked before having a chance to enter the password?

azure-ad-sign-in-logs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KAREDD-MSFT avatar image
1 Vote"
KAREDD-MSFT answered ·

@HashimSiddiqui-8427 Azure will not perform these checks until the user enters the password. They will be blocked after entering the credentials. If you are seeing this error it most likely means that the user entered the correct password and was blocked because of the IP address.

I will confirm this with the product group and will update the thread as soon as possible.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

The message "Failure reason Sign-in was blocked because it came from an IP address with malicious activity." will be displayed only after correct password is entered from a malicious IP address.

If incorrect password is entered, user will get "Your account or password is incorrect. If you don't remember your password, reset it now." message. The sign-in risk will not be detected in this case.


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much!!!!

0 Votes 0 · ·
ShimsheyRosenberg avatar image
1 Vote"
ShimsheyRosenberg answered ·

Lot's of back and forth with Microsoft Support, reviewing logs and more. Apparently, @amanpreetsingh-msft and @KAREDD-MSFT were answering according to some outdated documentation in the best case.

My current understanding on this subject is that this error message does not mean that anyone used the correct password. These are most likely brute-force attempts. They would run some legacy authentication methods where they send the username and password at once. Microsoft evaluates all sign ins coming in to any Microsoft directory. When an IP has X amount of failed usernames and/or passwords, Microsoft would than flag the IP as malicious and then block the sign-ins no matter if the password matches or not. Error 50053 has two definitions.

  • Sign-in was blocked because it came from an IP address with malicious activity.

  • Account is locked because user tried to sign in too many times with an incorrect user ID or password.

The second one is actually the definition currently publicized in the official documentation, but both of the above reasons use the same ID.

You won't always see an error prior to seeing that "Sign-in was blocked because it came from an IP address with malicious activity." and this is due because that IP address was flagged prior to trying your tenant/account.

These of course is solely my opinion and it is unfortunate to see "Microsoft Employees" (according to their profile here) are answering questions with incorrect information.

Additionally, I am completely disappointed why I had to go in circles with Microsoft support and simply have to "prove" them that the answers they are providing me can't be true.


The above is solely my understanding on this matter and I felt like posting it simply for others that stumble in to this to understand what's going on.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@ShimsheyRosenberg Unfortunately, your understanding is not completely correct. There are 3 different things here:

  1. Machine learning

  2. Sign-in Risk detection

  3. Account lockout.

First Azure AD Identity protection uses Machine learning to mark an IP address as a suspicious address. An IP address is marked as a suspicious only if high number of failed sign-in attempts come from that address during a short period of time. The IP address will be marked as as malicious by Machine Learning algorithm. This shouldn't be considered as risk detection as going forward this would help with risk detection.

Risk Detection: Once the IP address is marked as suspicious address and a sign-in attempt is made from that address, that will be considered as Risky Sign-in. This is considered as risk detection. However, if you enter incorrect password during sign-in from malicious address, you will get "Your account or password is incorrect. If you don't remember your password, reset it now." message.

The error "Account is locked because user tried to sign in too many times with an incorrect user ID or password." completely depends on below setting: alt text


If this helps clarifying your questions, please mark it as Accepted Answer.


untitled.png (19.7 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShimsheyRosenberg avatar image
0 Votes"
ShimsheyRosenberg answered ·

@amanpreetsingh-msft , I appreciate you getting back to me. I certainly believe that at least now you made the proper research before answering.

The whole point of my previous comment was that the paragraph below is completely wrong and misleading.

The message "Failure reason Sign-in was blocked because it came from an IP address with malicious activity." will be displayed only after correct password is entered from a malicious IP address.

According to what I wrote, and to the best of my current knowledge on this subject, this is NOT true. You can, and will see in the logs this failure reason, regardless of a correct or incorrect password being entered

Being that you are a Microsoft employee (according to your profile), can you agree that this is the case?

"Sign-in was blocked because it came from an IP address with malicious activity does not mean that anyone answered the correct password"

True or not?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@ShimsheyRosenberg I still DISAGREE with your opinion.

If you enter incorrect password, it will fail due to credential validation failure not because of sign-in risk.

Not sure which sign-in logs you are referring to, the correct place to confirm this is Azure AD Identity Protection > Risk Detections. If you are looking into sign-in events for the user account under Azure AD > Users > Sign-ins, it will include all attempts which are failed due to risk or invalid credentials. This confirms that the attempts with only correct credentials are considered as risky sign-ins.

You can test this by installing Tor Browser in a test machine, make a valid sign-in attempt and another attempt with incorrect password. Check Azure AD Identity Protection > Risk Detections, you will see only one attempt which was made with correct credentials. This will confirm the behavior is as per my initial response on this thread.

Please share the result of the test and unmark your answer as Accepted as that might mislead others in the community.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShimsheyRosenberg avatar image
0 Votes"
ShimsheyRosenberg answered ·

Good morning @amanpreetsingh-msft

Sorry for my delayed response, but I was out of the office on Friday.

First off, I am unable to view the “risk detections” as my subscription does not provide me access to it. I can only see the Azure AD > Users > Sign-Ins. All the comments I have made above in regards to logs are from these logs only.

I have seen logs mentioning invalid credentials, but this did not change my view on this.

I will take a moment and assume you are right (not that you are, but building on that), and try to figure out some things. But first, let's summarize what we are seeing in the logs – assuming you are right.

  • A tenant with 150 mailboxes with Azure AD Connect installed for password sync

  • For 70+ users logs are indicating (again, according to you) that someone somewhere tried to gain access using the correct credentials [Question: How do they have the credentials?]

  • All users are forced to change their local AD password, with password policies restricting them from reusing the same passwords as in the past. [Effectively updating the Azure password]

  • Sign-in attempts did not stop. They are still using the correct passwords (according to you)

The BIG question: How are “they” getting the correct password? At this time, I have some possible answers;

  1. Some form of keylogger on ALL on-premises systems (likelihood: low)

  2. Some form of zero-day exploit to AD or AAD Connect that they can retrieve passwords from (likelihood: ???)

  3. Some method of accessing Microsoft’s password database AND reverse engineer it (likelihood: low)

While I am still weighing these three possible answers (there may be more possibilities, but these are the ones that I was able to come up with...) I saw some “Azure Only” accounts that are not on-prem synced are also being flagged with the same sign in attempts, which according to you, someone has their password.

So, option 2 above is out of the question. Simply, there is no local AD account for those users, so I moved on to eliminate option 1 (keylogger) by changing those passwords on mobile (different type of device and different network), And guess what, although these accounts were not accessed by “anyone” and no one besides me knew their passwords, were still being flagged!

Now, I think that I have successfully eliminated all options besides option 3, effectively leaving me with one option from the list above; they somehow can get all passwords from Microsoft directly and reverse engineer the passwords. Due to many reasons, I find it highly unlikely, therefore giving me only one other option, which is that “this error message does NOT mean that anyone tried using the correct password”


If you still disagree with me please reply in detail why you do

All the best, Shimshey

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft I wonder if you have any input on my previous comment.

0 Votes 0 · ·