Process: Multi-Factor Authentication Fraud Alert
This alert happens when a user reports a MFA request as Fraudulent activity. This causes the MFA to be blocked and any future MFA attempts will be blocked until unblocked by an Administrator.
Example Scenarios:
a. Malicious User is attempting to sign in with correct credentials, however, is required to authenticate MFA. When Legitimate User received this MFA request, they click on Fraudulent activity as it was not them.
b. Legitimate User attempts to do authenticate via MFA and has accidentally pressed the wrong button.
c. Legitimate User attempts to do authenticate via MFA and has missed the prompt on their Device, Phone Call and Sign In times out.
Process:
1. From Ticket, Gather the User, and the Date/Time of Fraud alert. Please note that Date/Time is in American Format and in UTC.
2. Go to AAD/Entra ID (https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)
3. Select Users on the Left
4. Search and select User.
5. Go to Sign in Logs and change Date Filter to at least “7 days”.
6. Using the date and time provided in ticket, locate either a Failure or Interrupted Sign In on or shortly before the time.
7. Check the IP address of this failed sign in and compare to previous IP addresses which were successful. If there is and looks like the IP address is common for the user, it is highly likely that the MFA Fraud Alert is User Error and not malicious.
8. Have ITSD contact user to confirm the following. (This is not an exhaustive list and can vary case by case)
"@ITSD - Can you please contact and confirm with <USER>
1. Was user having MFA issue on <DATE/TIME in British Timezone>?
2. Was user sent MFA code without their knowledge?"
9. If User confirms activity, then the MFA can be unblocked, Step 11.
10. If User confirms that the activity is fraudulent/malicious, then the following needs to performed:
i. Account disabled in AD
ii. Revoke User Sessions in AAD/Entra ID
iii. Password Reset with ITSD
iv. FULL AV Scan performed on Device with ITSD
v. After all have been done, MFA can be unblocked.
11. To unblock MFA for user, do the following:
a. Go to AAD/Entra ID -> Security -> Multifactor Authentication -> block/unblock users (https://portal.azure.com/#view/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/~/BlockedUsers/fromProviders~/false)
b. Unblock User
