Audit Failed Sign-in Attempts in M365

Native Solution

Microsoft 365 Permission Required

High

Global Admin, or any other privileged admin role.

Option 1 Using PowerShell

Connect to Microsoft Graph PowerShell with audit log reading permissions.

Windows PowerShell

 Connect-MgGraph -scopes AuditLog.Read.All

Run the below PowerShell cmdlet to view all users’ sign-in failures in Microsoft 365.

Windows PowerShell

 Get-MgAuditLogSignIn -Filter "Status/Errorcode ne 0" | Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, ResourceDisplayName | Format-Table

The above cmdlet retrieves Azure AD failed login attempts along with details such as sign-in time, user principal name, application name, and resource name.

Option 2 Using Powershell Script

The above PowerShell cmdlet returns failed login attempts for the past 30 days only.
To overcome this limitation, we have developed a user-friendly PowerShell script that returns logs for the past 180 days.
This script generates different types of reports on Microsoft 365 user’s logon history.
Download and execute the script in the Administrator PowerShell as described below to export and monitor Office 365 user’s failed login attempts report effectively.
./O365UserLoginHistory.ps1 -Failed

O365UserLoginHistory.ps1

Option 3 Using Microsoft Entra Admin Center

Login to the Microsoft Entra admin center.
Navigate to the Sign-in logs tab under Identity»Users»All users.
In the Add filters option, choose the Status field, click Apply, then click on the applied filter and select Failure from the Status drop-down.
Here, you can audit failed sign-ins in your Microsoft 365 for the past 30 days. Additionally, you can filter the logs to view failed sign-ins for specific users or based on the applications.
Click on a particular record in the sign-in logs to see detailed information, such as the sign-in error code, failure reason, authentication details, and more.

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Login to the AdminDroid Office 365 portal.
Navigate to the Failed Sign-ins report under Analytics»Sign-in Analytics»Sign-ins.

Here, you can get the Microsoft 365 failed login attempts report, which includes information such as sign-in time, sign-in ID, username, signed-in application, failure cause, failure reason, IP address, device details, country, etc.

Utilize the in-built graphical chart to quickly identify the specific reasons why most of the sign-in attempts are failing in your Microsoft 365 environment.

Explore a full range of reporting options

Analyze suspicious sign-in attempts with a few clicks!

Enhance security across all accounts by leveraging AdminDroid's Microsoft 365 sign-in monitoring tool to pinpoint consecutive failed sign-in attempts from unfamiliar IP addresses or countries!

Witness the report in action using the

Live Demo

Important Tips

Always have a break-glass account as a precautionary measure to prevent lockouts and overcome sign-in failures due to incorrect CA policies.

Before enforcing a CA policy, set it in report-only mode and review the sign-ins failed by report-only policy to prevent any unintended login issues in real-time.

Check the last password change date for users with consecutive failed login attempts and instruct them to change their passwords.

Azure ADKeep Track of Users’ Login Failures to Prevent Security Breaches in Microsoft 365

Showing 1 of 6

What are common causes of sign-in failures and interruptions in Microsoft 365? How to diagnose Microsoft 365 login issues using sign-in error codes? How to track MFA failed sign-ins in Microsoft 365? How to monitor sign-ins that failed to fulfill conditional access policy requirements? How to limit unsuccessful login attempts in Azure AD? How to block or unblock user sign-ins in Microsoft 365?

What are common causes of sign-in failures and interruptions in Microsoft 365?

While accessing the sign-in logs in Microsoft 365, you will encounter three types of sign-in statuses: Success, Failure, and Interrupted. The ‘Success’ state represents sign-ins that were completed successfully. ‘Failure’ and ‘Interrupted’ statuses indicate unsuccessful sign-in attempts due to various reasons.

Microsoft 365 failed sign-ins

Failed sign-ins in Microsoft 365 occur when users are unable to access their accounts. Common causes of failed sign-ins in Microsoft 365 include:

Incorrect credentials: When the user enters the incorrect password.
Account lockout: If the user account is locked due to multiple failed login attempts.
Multi-factor authentication: When the user fails to pass the required multi-factor authentication process.
Conditional access policies: When the sign-in does not meet the conditions specified in the CA policies, such as sign-ins through unmanaged devices, non-compliant devices, network locations, etc.
Disabled account: When the sign-in was blocked for the user.
Expired password: When the user's password expires due to an expiration policy.
Network issues: If connectivity problems prevent the M365 user from reaching the authentication server.

Microsoft 365 interrupted sign-ins

Interrupted sign-ins are sign-in attempts that are not completed due to an interruption in the authentication process. These interruptions can occur for several reasons:

User action: The user navigates away from the login page before completing the sign-in process.
Timeouts: The sign-in process takes too long, and the session times out before authentication completes.
Client-side issues: Problems in the device or browser, such as crashes or closing the tab prematurely.
External authentication: Issues in federated authentication where the process is handed off to another provider but fails to complete.

For proactive security measures, effortlessly discover the list of failed or interrupted sign-ins for Microsoft 365 users using AdminDroid.

With all users’ sign-in report, access details such as sign-in ID, sign-in time, username, signed-in application, authentication details, IP address, risk details, etc.
Use the Sign-in Status filter to easily view the failed logins, interrupted logins, and successful logins separately.

Pro Tip: Make use of the Sign-in Type filter to analyze the interactive as well as non-interactive sign-ins.

How to diagnose Microsoft 365 login issues using sign-in error codes?

When users attempt to sign in to Microsoft 365 across various services, they may encounter different sign-in error codes. In such cases, Microsoft 365 users or admins can utilize the Error code lookup tool to find the cause of the error and the recommended actions to fix it.

Open the Error code lookup tool in your web browser. Enter the error code and click on the Submit button.
Here, you can get the message (reason for the sign-in error) and the appropriate remediation for the error.

Audit M365 failed logins based on sign-in error codes

As a Microsoft 365 admin, you can use MS Graph PowerShell to audit sign-in failures based on specific error codes. To do so, run the following cmdlet with the appropriate error code:

Get-MgAuditLogSignin -Filter "Status/ErrorCode eq <error_code>" | Select-Object –Property Id, CreatedDateTime, AppDisplayName, ResourceDisplayName, UserPrincipalName | Format-Table

Examine login failures based on sign-in error codes using AdminDroid's easy-to-use interface!

Utilize the Report Filtering capability in the failed user sign-ins report to filter the failed login attempts based on a specific error code.
Filtering the report based on a specific error code assists you in identifying how frequently it's happening among your Microsoft 365 users.

Pro Tip: Once the filters are applied, use the Save as View option to save the customized report view for future use.

How to track MFA failed sign-ins in Microsoft 365?

Monitoring failed MFA sign-ins is crucial for detecting unauthorized access attempts. Multiple MFA sign-in failures can indicate an attacker trying to bypass MFA. Monitoring these events enables quick responses to potential security breaches.

Follow the steps provided using the Entra admin center or PowerShell to track the MFA sign-in failures that have occurred in your organization.

Track MFA failures using the Microsoft Entra admin center

Navigate to the Sign-in logs tab under Identity»Users»All users.
Filter the Status column to get only the 'Failure' sign-ins. Further, refine the Authentication requirement column to identify sign-in failures specifically due to 'Multifactor authentication'.

Audit MFA failures using Microsoft Graph PowerShell

Run the below cmdlet in MS Graph PowerShell to retrieve the sign-in failures due to MFA:

Get-MgBetaAuditLogSignIn -Filter "Status/ErrorCode ne 0 and AuthenticationRequirement eq 'multiFactorAuthentication'" | Select-Object –Property Id, CreatedDateTime, AppDisplayName, ResourceDisplayName, UserPrincipalName, IPAddress | Format-Table

Stay ahead of potential threats like MFA fatigue attacks and MITM vulnerabilities using AdminDroid's user-friendly MFA failure tracking.

Identify the root cause and the specific reason for sign-ins failed due to MFA challenges in Microsoft 365.
This report also gives you details, such as the time of MFA failure, user information, the application where the sign-in was attempted, the MFA authentication method used, etc.

How to monitor sign-ins that failed to fulfill conditional access policy requirements?

Monitoring failed sign-ins due to conditional access policies can assist in identifying attempts from unmanaged devices or those that do not comply with organizational policies. This process helps identify suspicious login attempts that don't meet security requirements and enables admins to adjust policies to ensure legitimate sign-ins are not unnecessarily blocked.

Using Microsoft Entra Admin Center

Go to the Microsoft 365 user's Sign-in logs page.
Filter the Conditional Access field to view only the 'Failure' sign-ins due to CA policies in Microsoft 365 for the past 30 days.

Using PowerShell

Run the below cmdlet in MS Graph PowerShell to find the sign-ins that failed to meet the CA policy requirements.

Get-MgAuditLogSignIn -Filter "ConditionalAccessStatus eq 'failure'" | Select-Object –Property CreatedDateTime, Id, UserDisplayName, AppDisplayName, ConditionalAccessStatus, IPAddress | Format-Table

Efficiently audit your organization's sign-ins that failed to meet conditional access requirements!

AdminDroid's dedicated reports enable you to track sign-in failures due to CA policies based on user, location, application, browser, OS, and user type.
Moreover, if a user experiences repeated sign-in failures, you can review the CA policies applied to the user to fix any configuration issues.

Pro Tip: Use the combination of ‘Ctrl + Shift + F’ to find any Microsoft 365 report in the AdminDroid portal.

How to limit unsuccessful login attempts in Azure AD?

Managing security is challenging, especially when protecting user accounts from brute-force and password spray attacks. Attackers often attempt multiple password combinations to gain unauthorized access to your resources. To prevent such suspicious sign-in activities, it's essential to have a robust policy that limits unsuccessful login attempts.

Configure smart lockout in Entra ID

To lock the user account after several unsuccessful login attempts in Azure AD, you can use Smart Lockout. Follow these steps to configure the password protection policy:

Navigate to Password protection in the Microsoft Entra admin center.
Configure the following fields as needed:
- Lockout threshold: Define the number of failed attempts allowed before the account is locked out.
- Lockout duration: Set the time period for which the account will remain locked.
Finally, Save the changes to apply the new lockout policy settings.

Note: After configuring this policy, if a user experiences a specified number of consecutive sign-in failures, subsequent login attempts with the correct password will fail. This happens because the account is temporarily locked for the specified duration.

How to block or unblock user sign-ins in Microsoft 365?

Microsoft 365 admins often need to block or unblock user sign-ins in various scenarios. Here are a few common reasons for disabling a user account:

Blocking sign-ins after multiple failed attempts from unfamiliar locations can protect user data from being compromised.
When an employee leaves the organization permanently or temporarily, blocking their sign-in prevents them from accessing company resources.

Follow the steps below to block or unblock users from signing in to Microsoft 365.

Block or unblock user sign-ins using the Microsoft 365 admin center

Click on the user you want to block or unblock from the Active users page.
To block a user, click on the Block sign-in option, and enable the Block this user from signing in check box.
Click the Save changes button.

Similarly, to unblock the user, uncheck the Block this user from signing in check box, and click the Save changes button.

Note: After blocking or unblocking a user, it may take up to 15 minutes for the changes to take effect.

Block or unblock user sign-ins using PowerShell

To block or unblock user sign-ins in Microsoft 365, first connect to the MS Graph PowerShell with the user read-write permissions.

Connect-MgGraph -Scopes User.ReadWrite.All

Run the ‘Update-MgUser’ cmdlet with the parameter ‘AccountEnabled’ set to false to block Office 365 user sign-ins.

Update-MgUser -UserId <User_Id> -AccountEnabled:$false

Similarly, to unblock the user from sign-in, use the same cmdlet with the parameter ‘AccountEnabled’ set to true.

Update-MgUser -UserId <User_Id> -AccountEnabled:$true

Track repeated login attempts from disabled users with just a few clicks using AdminDroid.

AdminDroid's Disabled Users' Login Attempts report allows you to identify the sign-in attempts made by blocked users.
Here, you can review blocked users' sign-ins with details, such as sign-in time, signed-in user, IP address, sign-in status, etc.

Handy Hint: Utilize the Schedule option available with the reports to receive regular insights via email in formats such as CSV, PDF, XLS, and more.

AdminDroid Microsoft 365 Sign-in AnalyticsEffortlessly explore insights on Microsoft 365 sign-in failures!

AdminDroid’s sign-in analytics tool provides reports such as sign-ins based on single-factor authentication, MFA, CA policies, etc., to effectively monitor users’ login attempts without the need for complex PowerShell scripts.

Enhance the security of your M365 environment by monitoring Entra ID sign-ins with AdminDroid’s unique features:

The Failed User Logins report under Audit»Azure AD»User Logins helps in monitoring Azure failed login attempts to identify security threats, initiate prompt responses, and maintain compliance.

A Quick Summary

Receive Real-Time Alerts for Failed Sign-ins

To mitigate any security risks, set up alerts and define thresholds for failed login attempts to get notified when the number of sign-in failures exceeds a specified threshold.

Audit Login Failures Due to Expired Passwords

Identify users' login failures due to expired passwords and inform them to reset their Microsoft 365 password regularly.

Dedicated Reports for Risky Sign-in Detection

Make use of AdminDroid’s risky sign-in reports categorized by risk level, detection timing, event type, status, and resolved method, to effectively analyze risky sign-ins.

Complete Analysis of Microsoft 365 User Logins

Frequently audit Azure AD sign-in logs to identify all the successful or unsuccessful login attempts in Microsoft 365 to detect any unusual and suspicious sign-in patterns.

Monitor Admin Login Failures Effortlessly

Admindroid’s Admin Login Failure report helps identify failed logins on all admin accounts to pinpoint any suspicious activity, ensuring a secure Microsoft 365 environment.

Explore All Failed Activities in Microsoft 365

Use the Failed Activities Trend dashboard to get an overview of login failures and other activity issues across Azure AD, Exchange, SPO, Teams, OneDrive, and more.

In summary, AdminDroid helps you stay informed about M365 suspicious sign-in attempts and safeguards against potential security risks. With its extensive range of reports, you can easily identify and mitigate any threats in your organization.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps in Retrieving Microsoft 365 Users’ Failed Login Report

The following are the possible errors and troubleshooting hints while exploring sign-in failure history in Microsoft 365.

Error: Get-MgAuditLogSignIn : You cannot perform the requested operation, required scopes are missing in the token.

This error occurs when the MS Graph module does not have permission to audit the sign-in events.

Troubleshooting hint :Connect to the MS Graph PowerShell using the below cmdlet and allow permission to access sign-in logs.

Connect-MgGraph -Scopes "AuditLog.Read.All"

Error: Get-MgAuditLogSignIn : One or more errors occurred.

The error occurs due to conflicts between two installed versions of the Microsoft Graph PowerShell module.

Troubleshooting hint :To fix the problem, we need to remove all installed versions of the module and then install the latest ones which help resolve the issue.

Error: ./O365UserLoginHistory.ps1 cannot be loaded because running scripts is disabled on this system.

If you have set the execution policy settings to ‘RemoteSigned’, the above error will occur while running the PowerShell script.

Troubleshooting hint :Change the execution policy settings by running the below cmdlet.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Error: End time should be later than start time.

This issue occurs when you try to run the O365UserLoginHistory.ps1 script with the end date earlier than the start date.

Troubleshooting hint :Ensure that the date format is correct, and the end date comes ahead of the start date.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Track Failed Login Attempts in Microsoft 365