Forum Discussion
Solved
The remote NGC session was denied.
Hi. I was reviewing sign-in Logs for a user in Sentinel and came across an entry that has the following: ResultType: 1003033 ResultDescription: The remote NGC session was denied. Authenticatio...
Hi Both, We have recently run into the same issue and had a chat with MS after reviewing our conditional access policies for possible denies as the connection that was denied came from a TOR exit node with no Geo location. The actual reference in this instance to NGC is actually referring to Next Generation Credentials, like passwordless authentication. The error is not related to a conditional access policy, including one targeting a GeoCoordinate setting.
This sign-in refers to passwordless authentication using the Microsoft Authenticator app, for example. An 1003033 error occurs when a user attempts to authenticate with the tenant that sent an authentication request to the registered Microsoft Authenticator app, and the error signifies that the user manually denied the authentication request in the Microsoft Authenticator app.
Hi Both, We have recently run into the same issue and had a chat with MS after reviewing our conditional access policies for possible denies as the connection that was denied came from a TOR exit node with no Geo location. The actual reference in this instance to NGC is actually referring to Next Generation Credentials, like passwordless authentication. The error is not related to a conditional access policy, including one targeting a GeoCoordinate setting.
This sign-in refers to passwordless authentication using the Microsoft Authenticator app, for example. An 1003033 error occurs when a user attempts to authenticate with the tenant that sent an authentication request to the registered Microsoft Authenticator app, and the error signifies that the user manually denied the authentication request in the Microsoft Authenticator app.
The biggest concern was whether or not the credentials were actually compromised (which they weren't). I didn't have any luck with Microsoft support on this. They kept asking me to delete the NGC folder on machine and I knew that wasn't the issue.
With these NGC events they do not need to know your password as the auth takes place with a passwordless auth session. To replicate this try the following:
When you log into the windows portal with your email the next phase will ask for a password, in this phase the TA will not use a password but select "Use an app instead" where a number matching request will be sent to your enrolled device. From your device cancel the request to generate the event - 1003033 in AAD.
The TA will only ever know your email address for this attack, not your password. if they knew your password they would utilise the password, click next and hit the MFA auth pane for the chosen MFA auth input (if you have MFA configured)
To see the relevant logs within AAD use:
SigninLogs
| where TimeGenerated > ago(7d)
| extend errorCode_ = tostring(Status.errorCode)
| where errorCode_ == "1003033"
Change the timegenerated to whatever sees fit to cover your scope of events. I've re-created the attack and canceled the request on the app to replay the attack and confirm the event appears.- In my particular case, I do not believe the credentials were compromised.
- I'm in the same boat. I thought maybe there was a keylogger on my machine, so I contacted our MDR provider, and they assured me there wasn't. This was after I changed my password 3 times.
