Anomalous Token & activity from Microsoft
Hi, I am trying to understand the following activity. I have had a few users in my organization flagged as a "Risky User" due to an anomalous token. This is normally supposed to flag if a users session token is stolen and replayed. Upon investigating the flagged sign ins, the IP addresses used for these are within Microsoft's Exchange Online IP range. Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs 52.96.172.x It is also common to see these as non-interactive sign ins. I am trying to understand why there would be a sign in from a Microsoft Exchange Online IP address to one of our accounts that would be attempting to use a token from a users client as per the error message reported? Is there a service running in Exchange Online I am not aware of that signs in on the users behalf? Why would it be using a token granted to a users device? I have also noticed consistent activity from these IP addresses in Cloud App Security. Any help or clarification would be greatly appreciated! Kind Regards, JacquesAllow Use of Microsoft Authenticator OTP in Azure AD
Hi All, We wanted to enabled number matching and Passwordless with Microsoft Authenticator app and when I go to there I could see the below setting under configurations. But I wanted to make sure what that setting is and what it the recommended configurations for this "Allow Use of Microsoft Authenticator OTP" before configure in production environment. appreciate if anyone could help me on this. Thanks, Dilan
Azure ATP Sensor Setup - service not starting - missing dependency
When installing Azure ATP Sensor Setup it just stalls midway and the rolls back the installation. I've looked into the logs and can see its unable to startup the service AATPSensorUpdater. I did a dependecy check and the WMI Performance Adapter (wmiApSrv) service is missing, which is a dependecy. We got 3 domain controllers, the setup only completed on one (it also got the WMI Performance Adapter (wmiApSrv) service). My question is now, how do I get the WMI Performance Adapter (wmiApSrv) service on the other 2 domain controllers so I can complete the installation? We are running virtual servers with VMware (WS2019)
Excessive MFA prompts for a specific user
One specific user in my tenant is prompted for MFA multiples times/day. Our conditional access policies specify that a user must re-authenticate every 90 days with MFA. All other users do not get prompted daily without a new risk factor like new device/unknown IP address. I have tried the following: Re-registered authentication methods and revoked previous multifactor auth sessions. Enabled Multifactor Authentication in Security Defaults for this user (Rather than conditional access) Exempted this user from the standard CA policy, and created a new one. None of these steps have helped. Microsoft support was no help. Some other information: This user uses 1 to 2 IP addresses throughout the week. (Home and office) This user is using the same devices every day. We have replaced the devices and issue persists. There are at least 1, up to 5 prompts daily. No other users are experiencing this issue, and MFA behaves as expected. Azure Identity Protection lists the risk for this user as none. Zero risk detections within the last 90 days. Any suggestions are appreciated.
