Hey folks! I've run into an odd situation with two users who received Microsoft MFA SMS codes even though they didn't attempt to log in during that time. The codes came from the usual SMS number that authenticates logins. We made sure to change their passwords right after the first incident and logged them out of all sessions via the admin portal just to be cautious, but one of them got another SMS code last night! I've looked through all the logs in Entra—sign-in logs, audit logs, and MFA activity logs—but I can't find any sign-ins that correspond with when they received the codes. I even tested another account to see if a sign-in attempt would show up if the user didn't know the code, but nothing appeared. Am I missing something? Could this just be SMS spoofing? Any ideas on where to dig deeper? Thanks!
3 Answers
You really should consider turning off SMS authentication. It’s pretty weak, and there’s a risk of SMS spoofing or cloning. If users are still getting prompts, it suggests that a device not enrolled is trying to access their accounts.
You might want to ensure that when users log into the network, their passwords get updated for 365 too. This could help if there were any credential issues.
We've faced similar issues where applications left open can result in repeated authentication prompts. Maybe check the logs closely; sometimes the attempts don’t show properly for SMS authentications like they do for the Authenticator app.
Yeah, I’ve heard this can happen too. Just ensuring not to leave sessions hanging can really cut down those unexpected prompts!