Azure AD Suspicious Sign-on

Azure AD Suspicious Sign-on

Detection overview


  • A successful login has occurred to an account with sign-on attributes (such as location, device, etc.) that are unusual for the account.

Possible Root Causes

  • An adversary has stolen a valid account and is using it as part of an attack.
  • A user has moved and performed a full refresh of their devices and performed login activities across these devices with new sign-on attributes.

Business Impact

  • Adversaries frequently bypass security controls through the malicious, unauthorized use of valid credentials.
  • The compromise of a valid account may lead to the loss of confidentiality and integrity of any data and services that account may access, and it may be used in service of additional lateral movement or attacks against other internal users.

Steps to Verify

  1. Investigate irregularities associated with these login events for indications of compromise.
  2. Validate the login activities have been performed in accordance with organizational MFA policies, enforcing re-login with MFA if required.

Azure AD Suspicious Sign-on

Possible root causes

Malicious Detection

Benign Detection

Azure AD Suspicious Sign-on

Example scenarios

Azure AD Suspicious Sign-on

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure AD Suspicious Sign-on

Steps to investigate

Azure AD Suspicious Sign-on

MITRE ATT&CK techniques covered

Azure AD Suspicious Sign-on

Related detections

No items found.