🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Track Failed Login Attempts in Microsoft 365

Are you struggling to ensure secure user access in your Microsoft 365 environment? One crucial step in identifying security threats is monitoring failed sign-in logs, which can reveal brute force attacks and other suspicious login attempts. By accessing and interpreting these logs, admins can take timely actions to enhance security measures for M365 users. This guide will help you analyze the failed login attempts in Microsoft 365 to effectively mitigate security risks.

Option 1
Option 2
Option 3
Option 4
Important Tips
Errors and Resolution Steps
FAQs

Using PowerShell

Microsoft 365 Permission Required
Global Admin, or any other privileged admin role.
  • Connect to Microsoft Graph PowerShell with audit log reading permissions.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -scopes AuditLog.Read.All
  • Run the below PowerShell cmdlet to view all users’ sign-in failures in Microsoft 365.
  • Windows PowerShell Windows PowerShell 
     Get-MgAuditLogSignIn -Filter "Status/Errorcode ne 0" | Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, ResourceDisplayName | Format-Table
  • The above cmdlet retrieves Azure AD failed login attempts along with details such as sign-in time, user principal name, application name, and resource name.
Using PowerShell

Using Powershell Script

Microsoft 365 Permission Required
Global Admin, or any other privileged admin role.
  • The above PowerShell cmdlet returns failed login attempts for the past 30 days only.
  • To overcome this limitation, we have developed a user-friendly PowerShell script that returns logs for the past 180 days.
  • This script generates different types of reports on Microsoft 365 user’s logon history.

  • Download and execute the script in the Administrator PowerShell as described below to export and monitor Office 365 user’s failed login attempts report effectively.

    ./O365UserLoginHistory.ps1 -Failed
Using Powershell Script
O365UserLoginHistory.ps1

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Global Admin, or any other privileged admin role.
  • Login to the Microsoft Entra admin center.
  • Navigate to the Sign-in logs tab under Identity»Users»All users.
  • In the Add filters option, choose the Status field, click Apply, then click on the applied filter and select Failure from the Status drop-down.
  • Here, you can audit failed sign-ins in your Microsoft 365 for the past 30 days. Additionally, you can filter the logs to view failed sign-ins for specific users or based on the applications.
  • Click on a particular record in the sign-in logs to see detailed information, such as the sign-in error code, failure reason, authentication details, and more.
Using Microsoft Entra Admin Center
AdminDroid Microsoft 365 Sign-in Analytics

Effortlessly explore insights on Microsoft 365 sign-in failures!

AdminDroid’s sign-in analytics tool provides reports such as sign-ins based on single-factor authentication, MFA, CA policies, etc., to effectively monitor users’ login attempts without the need for complex PowerShell scripts.

Receive Real-Time Alerts for Failed Sign-ins

To mitigate any security risks, set up alerts and define thresholds for failed login attempts to get notified when the number of sign-in failures exceeds a specified threshold.

Audit Login Failures Due to Expired Passwords

Identify users' login failures due to expired passwords and inform them to reset their Microsoft 365 password regularly.

Dedicated Reports for Risky Sign-in Detection

Make use of AdminDroid’s risky sign-in reports categorized by risk level, detection timing, event type, status, and resolved method, to effectively analyze risky sign-ins.

Complete Analysis of Microsoft 365 User Logins

Frequently audit Azure AD sign-in logs to identify all the successful or unsuccessful login attempts in Microsoft 365 to detect any unusual and suspicious sign-in patterns.

Monitor Admin Login Failures Effortlessly

Admindroid’s Admin Login Failure report helps identify failed logins on all admin accounts to pinpoint any suspicious activity, ensuring a secure Microsoft 365 environment.

Explore All Failed Activities in Microsoft 365

Use the Failed Activities Trend dashboard to get an overview of login failures and other activity issues across Azure AD, Exchange, SPO, Teams, OneDrive, and more.

In summary, AdminDroid helps you stay informed about M365 suspicious sign-in attempts and safeguards against potential security risks. With its extensive range of reports, you can easily identify and mitigate any threats in your organization.

Explore a full range of reporting options
Download Live Demo

Important Tips

Always have a break-glass account as a precautionary measure to prevent lockouts and overcome sign-in failures due to incorrect CA policies.

Before enforcing a CA policy, set it in report-only mode and review the sign-ins failed by report-only policy to prevent any unintended login issues in real-time.

Check the last password change date for users with consecutive failed login attempts and instruct them to change their passwords.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while exploring sign-in failure history in Microsoft 365.

Error Get-MgAuditLogSignIn : You cannot perform the requested operation, required scopes are missing in the token.

This error occurs when the MS Graph module does not have permission to audit the sign-in events.

Fix Connect to the MS Graph PowerShell using the below cmdlet and allow permission to access sign-in logs. 
Connect-MgGraph -Scopes "AuditLog.Read.All"

Error Get-MgAuditLogSignIn : One or more errors occurred.

The error occurs due to conflicts between two installed versions of the Microsoft Graph PowerShell module.

Fix To fix the problem, we need to remove all installed versions of the module and then install the latest ones which help resolve the issue.

Error ./O365UserLoginHistory.ps1 cannot be loaded because running scripts is disabled on this system.

If you have set the execution policy settings to ‘RemoteSigned’, the above error will occur while running the PowerShell script.

Fix Change the execution policy settings by running the below cmdlet. 
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Error End time should be later than start time.

This issue occurs when you try to run the O365UserLoginHistory.ps1 script with the end date earlier than the start date.

Fix Ensure that the date format is correct, and the end date comes ahead of the start date.
Azure AD

Frequently Asked Questions

Keep Track of Users’ Login Failures to Prevent Security Breaches in Microsoft 365

What are common causes of sign-in failures and interruptions in Microsoft 365?

What are common causes of sign-in failures and interruptions in Microsoft 365? +

While accessing the sign-in logs in Microsoft 365, you will encounter three types of sign-in statuses: Success, Failure, and Interrupted. The ‘Success’ state represents sign-ins that were completed successfully. ‘Failure’ and ‘Interrupted’ statuses indicate unsuccessful sign-in attempts due to various reasons.

Microsoft 365 failed sign-ins

Failed sign-ins in Microsoft 365 occur when users are unable to access their accounts. Common causes of failed sign-ins in Microsoft 365 include:

  • Incorrect credentials: When the user enters the incorrect password.
  • Account lockout: If the user account is locked due to multiple failed login attempts.
  • Multi-factor authentication: When the user fails to pass the required multi-factor authentication process.
  • Conditional access policies: When the sign-in does not meet the conditions specified in the CA policies, such as sign-ins through unmanaged devices, non-compliant devices, network locations, etc.
  • Disabled account: When the sign-in was blocked for the user.
  • Expired password: When the user's password expires due to an expiration policy.
  • Network issues: If connectivity problems prevent the M365 user from reaching the authentication server.

Microsoft 365 interrupted sign-ins

Interrupted sign-ins are sign-in attempts that are not completed due to an interruption in the authentication process. These interruptions can occur for several reasons:

  • User action: The user navigates away from the login page before completing the sign-in process.
  • Timeouts: The sign-in process takes too long, and the session times out before authentication completes.
  • Client-side issues: Problems in the device or browser, such as crashes or closing the tab prematurely.
  • External authentication: Issues in federated authentication where the process is handed off to another provider but fails to complete.

For proactive security measures, effortlessly discover the list of failed or interrupted sign-ins for Microsoft 365 users using AdminDroid.

  • With all users’ sign-in report, access details such as sign-in ID, sign-in time, username, signed-in application, authentication details, IP address, risk details, etc.
  • Use the Sign-in Status filter to easily view the failed logins, interrupted logins, and successful logins separately.
failed-and-interrupted-signins

Pro Tip: Make use of the Sign-in Type filter to analyze the interactive as well as non-interactive sign-ins.

How to diagnose Microsoft 365 login issues using sign-in error codes?

How to diagnose Microsoft 365 login issues using sign-in error codes? +

When users attempt to sign in to Microsoft 365 across various services, they may encounter different sign-in error codes. In such cases, Microsoft 365 users or admins can utilize the Error code lookup tool to find the cause of the error and the recommended actions to fix it.

  • Open the Error code lookup tool in your web browser. Enter the error code and click on the Submit button.
  • Here, you can get the message (reason for the sign-in error) and the appropriate remediation for the error.
error-code-lookup-tool

Audit M365 failed logins based on sign-in error codes

As a Microsoft 365 admin, you can use MS Graph PowerShell to audit sign-in failures based on specific error codes. To do so, run the following cmdlet with the appropriate error code:

Get-MgAuditLogSignin -Filter "Status/ErrorCode eq <error_code>" | Select-Object –Property Id, CreatedDateTime, AppDisplayName, ResourceDisplayName, UserPrincipalName | Format-Table
error-code-signins-ps

Examine login failures based on sign-in error codes using AdminDroid's easy-to-use interface!

  • Utilize the Report Filtering capability in the failed user sign-ins report to filter the failed login attempts based on a specific error code.
  • Filtering the report based on a specific error code assists you in identifying how frequently it's happening among your Microsoft 365 users.
error-code-ad-filter

Pro Tip: Once the filters are applied, use the Save as View option to save the customized report view for future use.

How to track MFA failed sign-ins in Microsoft 365?

How to track MFA failed sign-ins in Microsoft 365? +

Monitoring failed MFA sign-ins is crucial for detecting unauthorized access attempts. Multiple MFA sign-in failures can indicate an attacker trying to bypass MFA. Monitoring these events enables quick responses to potential security breaches.

Follow the steps provided using the Entra admin center or PowerShell to track the MFA sign-in failures that have occurred in your organization.

Track MFA failures using the Microsoft Entra admin center

  • Navigate to the Sign-in logs tab under Identity»Users»All users.
  • Filter the Status column to get only the 'Failure' sign-ins. Further, refine the Authentication requirement column to identify sign-in failures specifically due to 'Multifactor authentication'.
mfa-signin-failures-entra

Audit MFA failures using Microsoft Graph PowerShell

Run the below cmdlet in MS Graph PowerShell to retrieve the sign-in failures due to MFA:

Get-MgBetaAuditLogSignIn -Filter "Status/ErrorCode ne 0 and AuthenticationRequirement eq 'multiFactorAuthentication'" | Select-Object –Property Id, CreatedDateTime, AppDisplayName, ResourceDisplayName, UserPrincipalName, IPAddress | Format-Table
mfa-signin-failures-ps

Stay ahead of potential threats like MFA fatigue attacks and MITM vulnerabilities using AdminDroid's user-friendly MFA failure tracking.

  • Identify the root cause and the specific reason for sign-ins failed due to MFA challenges in Microsoft 365.
  • This report also gives you details, such as the time of MFA failure, user information, the application where the sign-in was attempted, the MFA authentication method used, etc.
mfa-failure-ad

How to monitor sign-ins that failed to fulfill conditional access policy requirements?

How to monitor sign-ins that failed to fulfill conditional access policy requirements? +

Monitoring failed sign-ins due to conditional access policies can assist in identifying attempts from unmanaged devices or those that do not comply with organizational policies. This process helps identify suspicious login attempts that don't meet security requirements and enables admins to adjust policies to ensure legitimate sign-ins are not unnecessarily blocked.

Using Microsoft Entra Admin Center

  • Go to the Microsoft 365 user's Sign-in logs page.
  • Filter the Conditional Access field to view only the 'Failure' sign-ins due to CA policies in Microsoft 365 for the past 30 days.
ca-failure-entra

Using PowerShell

Run the below cmdlet in MS Graph PowerShell to find the sign-ins that failed to meet the CA policy requirements.

Get-MgAuditLogSignIn -Filter "ConditionalAccessStatus eq 'failure'" | Select-Object –Property CreatedDateTime, Id, UserDisplayName, AppDisplayName, ConditionalAccessStatus, IPAddress | Format-Table
ca-failure-ps

Efficiently audit your organization's sign-ins that failed to meet conditional access requirements!

ca-failure-ad

Pro Tip: Use the combination of ‘Ctrl + Shift + F’ to find any Microsoft 365 report in the AdminDroid portal.

How to limit unsuccessful login attempts in Azure AD?

How to limit unsuccessful login attempts in Azure AD? +

Managing security is challenging, especially when protecting user accounts from brute-force and password spray attacks. Attackers often attempt multiple password combinations to gain unauthorized access to your resources. To prevent such suspicious sign-in activities, it's essential to have a robust policy that limits unsuccessful login attempts.

Configure smart lockout in Entra ID

To lock the user account after several unsuccessful login attempts in Azure AD, you can use Smart Lockout. Follow these steps to configure the password protection policy:

  • Navigate to Password protection in the Microsoft Entra admin center.
  • Configure the following fields as needed:
    • Lockout threshold: Define the number of failed attempts allowed before the account is locked out.
    • Lockout duration: Set the time period for which the account will remain locked.
  • Finally, Save the changes to apply the new lockout policy settings.
configure-smart-lockout

Note: After configuring this policy, if a user experiences a specified number of consecutive sign-in failures, subsequent login attempts with the correct password will fail. This happens because the account is temporarily locked for the specified duration.

How to block or unblock user sign-ins in Microsoft 365?

How to block or unblock user sign-ins in Microsoft 365? +

Microsoft 365 admins often need to block or unblock user sign-ins in various scenarios. Here are a few common reasons for disabling a user account:

  • Blocking sign-ins after multiple failed attempts from unfamiliar locations can protect user data from being compromised.
  • When an employee leaves the organization permanently or temporarily, blocking their sign-in prevents them from accessing company resources.

Follow the steps below to block or unblock users from signing in to Microsoft 365.

Block or unblock user sign-ins using the Microsoft 365 admin center

  • Click on the user you want to block or unblock from the Active users page.
  • To block a user, click on the Block sign-in option, and enable the Block this user from signing in check box.
  • Click the Save changes button.
block-signin-admin-center

Similarly, to unblock the user, uncheck the Block this user from signing in check box, and click the Save changes button.

Note: After blocking or unblocking a user, it may take up to 15 minutes for the changes to take effect.

Block or unblock user sign-ins using PowerShell

To block or unblock user sign-ins in Microsoft 365, first connect to the MS Graph PowerShell with the user read-write permissions.

Connect-MgGraph -Scopes User.ReadWrite.All

Run the ‘Update-MgUser’ cmdlet with the parameter ‘AccountEnabled’ set to false to block Office 365 user sign-ins.

Update-MgUser -UserId <User_Id> -AccountEnabled:$false

Similarly, to unblock the user from sign-in, use the same cmdlet with the parameter ‘AccountEnabled’ set to true.

Update-MgUser -UserId <User_Id> -AccountEnabled:$true

Track repeated login attempts from disabled users with just a few clicks using AdminDroid.

  • AdminDroid's Disabled Users' Login Attempts report allows you to identify the sign-in attempts made by blocked users.
  • Here, you can review blocked users' sign-ins with details, such as sign-in time, signed-in user, IP address, sign-in status, etc.
disabled-users-login-attempts

Handy Hint: Utilize the Schedule option available with the reports to receive regular insights via email in formats such as CSV, PDF, XLS, and more.

+

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Track Failed Login Attempts in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo