question

LS9287467-7199 avatar image
0 Votes"
LS9287467-7199 asked ·

tracking failed authentication back to PC

I have a user that is failing authentication to exchange online and I'm seeing the attempts in AAD sign in logs. The user isn't experiencing any issues on the PC they are currently using so I believe another system is the issue. The main issue is that the AAD log only shows the the IP of my public IP and not the IP of the PC where failed auth is originating from. Does anyone know of a way to correlate a failed AAD auth back to the PC it originated from in this scenario? Are there any local logs on the PC that i could query that would also say an auth failed (I have ability to get windows event logs and other local logs)?

azure-active-directory
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

ManuPhilip avatar image
0 Votes"
ManuPhilip answered ·

Hello,

AAD sign-in report is available. Hope, that helps.

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins#sign-ins-report


Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu

· 4 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LS9287467-7199 avatar image LS9287467-7199 ·

unfortunately the sign ins page, as I mentioned above, doesn't provide information about the device the authentication attempt originated from so I'm still stuck.

0 Votes 0 ·
ManuPhilip avatar image ManuPhilip LS9287467-7199 ·

Have you also tried customizing the result so that you can see the device info?

10234-cust.png


0 Votes 0 ·
cust.png (13.8 KiB)
LS9287467-7199 avatar image LS9287467-7199 ManuPhilip ·

Device info just says windows 10 and Microsoft office 16.0. any other thoughts?

10208-capture.png


0 Votes 0 ·
capture.png (9.6 KiB)
Show more comments
ShaneTownsend-6638 avatar image
0 Votes"
ShaneTownsend-6638 answered ·

If you have concerns about unauthorized logins, you could improve your security by setting up multi-factor authentication for your users.

Dealing with high number of failed log on attempts from foreign countries utilizing Exchange Online:
https://techcommunity.microsoft.com/t5/exchange/dealing-with-high-number-of-failed-log-on-attempts-from-foreign/m-p/91325

Audit activity reports in the Azure Active Directory portal:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

You can also try, Lepide Azure AD Auditor - to spot when a large number of failed logons are occurring which could indicate a brute force attack.

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.