Azure AD Sign-In Logs Credential Stuffing

Detecting Credential Stuffing / Brute Force in Azure AD Sign-In Logs

Why this matters

Azure AD / Entra ID is the front door to almost everything in a modern Microsoft 365 environment — mail, files, Teams, and usually a dozen federated SaaS apps besides. A successful brute-force or credential-stuffing hit against it isn’t “one account compromised,” it’s “one identity that can now reach everything that identity was trusted with.”

Indicators to look for in Azure AD sign-in logs

  • Repeated status.errorCode values for invalid credentials against the same userPrincipalName, especially from a single IP or a small rotating pool
  • A burst of failures across many different userPrincipalName values from the same source — this is password spraying, the credential-stuffing variant that targets breadth over depth
  • A riskLevelAggregated of medium or high that wasn’t acted on before a later successful sign-in
  • Sign-in attempts using userAgent strings associated with known authentication-attack tooling rather than real browsers
  • IP addresses or ASNs already flagged by external threat intelligence as credential-stuffing infrastructure

How LogTriage detects this

LogTriage enriches every sign-in’s source IP against ASN reputation, AbuseIPDB, OTX, GreyNoise, and ThreatFox in addition to the rule-based credential-stuffing pattern detector. For Azure AD specifically, Microsoft’s own riskLevelAggregated field is folded directly into the event’s risk factors — so when Entra ID already suspected something and nothing was done about it, that gap is visible in the report instead of buried in a console nobody checked that day.

Detection / evidence checklist

  • Determine whether this is targeted (one account, many passwords) or spray (many accounts, few passwords)
  • Check if any of the targeted accounts have weak or reused passwords — that’s your real exposure
  • Confirm smart lockout / Conditional Access sign-in risk policies are actually enabled, not just available
  • Force MFA enrollment for any account without it, prioritizing accounts with elevated privileges
  • Block the source IP/ASN range at the Conditional Access named-locations level if the activity is ongoing

See this detection run on a real report

Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.

Try Live Demo → Analyze Your Own Logs

← All use cases