Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Sign-in Log Analysis [CHK-1188]

This check analyzes Microsoft Entra ID sign-in logs over a rolling 30-day window to identify security concerns. It tracks single-factor authentication usage, MFA adoption rates across users and applications, and detects brute-force attack indicators. The check runs daily and accumulates data incrementally. It requires an Entra ID P1 or higher license.

The check distinguishes between two types of single-factor sign-ins:

  • Client-actionable: Conditional Access policies apply but still allow single-factor authentication. These represent gaps in your MFA policies that you can address.
  • Microsoft-exempted: Conditional Access policies are not applied due to Microsoft's own exemptions. These are outside your direct control.

Only interactive sign-ins are evaluated; non-interactive and background authentication events are excluded.

Rationale

Single-factor authentication is one of the most common attack vectors for account compromise. Without MFA, a stolen or guessed password is all an attacker needs to gain access. Monitoring MFA adoption rates and identifying users and applications that still rely on single-factor authentication helps you close security gaps before they are exploited.

Brute-force attacks, where an attacker tries many passwords against one or more accounts, are a persistent threat. Detecting users with an unusually high number of failed sign-ins (more than 10 in a single day) provides an early warning of potential account targeting or compromise attempts.

Fix

No automated fix is available for this check.

For brute-force indicators:

  1. Investigate the affected user accounts listed in the alert for signs of compromise.
  2. Reset passwords immediately if compromise is suspected.
  3. Enable MFA for all affected user accounts.
  4. Consider blocking the user account temporarily if the attack is ongoing.

For client-actionable single-factor sign-ins:

  1. Review your Conditional Access policies in the Microsoft Entra admin center at https://entra.microsoft.com.
  2. Identify gaps where MFA is not enforced for specific users, groups, or applications.
  3. Ensure MFA policies cover all users and all applications, especially the top offending apps listed in the alert.
  4. Check for Conditional Access policy exclusions that may be leaving users unprotected.
  5. Use the per-app MFA rate breakdown provided in the check to prioritize which applications to address first.

Impact

Addressing the findings from this check strengthens your tenant's authentication security. Enforcing MFA across all users and applications significantly reduces the risk of account compromise. Investigating brute-force indicators promptly helps prevent unauthorized access before it occurs.

More Information

For more information about sign-in logs and authentication methods, see the Microsoft Entra sign-in logs documentation.