Reading time:
3 min

Tracking failed login attempts in Azure AD

Built-in SaaS Security Not Nearly Enough for O365 Safety

Monitoring and tracking all cyber-attacks is a daunting task for IT groups these days. And the attackers are becoming ever more creative. Often, they try to login with different credentials at random to throw off detection, many times for each account with failure after failure. When it comes to tracking failed login attempts, it’s possible to thwart the attack before it becomes is successful. But you gotta know what to watch out for and alert the right administrators when a specific cycle is identified.

Directory logs are often the only record that suspicious behavior is taking place. It’s not easy for IT admins to monitor all users’ failed logins, and this gets even more complicated when you’re expected to know every place where the credentials are used. There might be several reasons why a login failed, such as a bad user name, or a password has expired, or the account was disabled.

So, admins should ask themselves:

  • Who has signed-in?
  • Which apps were signed into?
  • Which sign-ins were failures and why?

Obtaining a list of the accounts that have failed logins can be difficult. To simplify this monitoring and tracking we have introduced a new report within CoreView: Sign-in Failed.

This report displays all the details that Azure Active Directory tracks about failed sign-ins per user, including the sign-in error code and the failure reason. You can also track the IP Address, Country, City, Password failure, and other info.

failed report Azure AD

We have also enhanced this report with geographic representation for location mapping searches, along with pivot point analysis and remediation management actions from directly inside the report.
IT admins can also visualize information on the login failures and the reason codes through a map interface overlay. This is very useful to make quick decisions and identify the best remediation action effectively.

failed Azure AD Map

Using V-tenants organizations can also segment the information in this report. If you assign a specific administrator to ONLY view a subset of users, then that is the only grouping of user activity, including failed logins, which will be shown in the CoreView reports for them.

These reports can also be added to the ‘Favorite Report’ area by clicking on the star icon close the report name. This enables quick and easy access under the ‘Analyze’ tab once you have logged into the portal. The columns can also be filtered, and as with other reports in CoreView, it is simple to export, save, print, or schedule the report to run on a regular basis.

In the top right corner of the table you can also adjust the time interval for the data items shown in the report. By using the drop-down picklist: yesterday, 7, 14, 30, 60 or 90 days, or your preferred date range, it is possible to filter the information quickly to see only the dates that fit your reporting needs.

time interval for the data items

Would you like to view this report within your environment? If you already have CoreView deployed, you can find this report under the ‘Analyze’ tab together with other Office 365 reports. Otherwise, signup today for our free demo to see these features in action.

**Note:Your tenant must have an Azure AD Premium license associated with it to see the all up sign-in activity report.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.