Azure MFA yet: "Sign-ins from IP addresses that are anonymous, such as Tor IP addresses."

Our users are MFA'd but Azure reports: "Sign-ins from IP addresses that are anonymous, such as Tor IP addresses."

How is that possible?

I have 3 different users reporting this for location = Chelsea, NY, USA

YIKES!!!
mike2401Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
This also includes any VPN service.

Sign-Ins from Tor or VPNs or any other NAT'ted systems should be accepted, as anyone concerned with security uses VPNs these days.

Likely there's some setting you can toggle to allow this type of login.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mike2401Author Commented:
Our users do VPN, but it's to US (our VPN end-point (ASA VPN concentrator) is located here in Philadelphia, NOT in New York.

I supposed if a user was using something like Tunnel Bear VPN, that could be a case where he's not hacked, but the last user I checked has no computer skills to do anything like that.

Thx
Mike
0
masnrockCommented:
Unless you're going to block IPs related from networks like Tor with your conditional access policies, then things like that are prone to happen. However, this does make it more important that you enforce the usage of MFA. However, that's purely a decision you're going to need to make as a company.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

btanExec ConsultantCommented:
An anonymous IP address is not a strong indication of an account compromise. If the user does not know why and have scan the machine for malware and found nothing.

 It is probably to check any past error log for possible correlation to see any relation to this event. Include the log of those enterprise firewall of the user machine situated. The ISP should not be using any Tor service per se for consumer services too.

Meanings there has been signs of other risk like sign-ins from unfamiliar locations or sign-ins from IP addresses with suspicious activity etc. Not much leads into this but to monitor further..but closely for other symptoms. Educate user on practising goos cyber hygiene.. Phishing email
0
mike2401Author Commented:
As to "prone to happen" and my general confusion:

How can someone login from a TOR end point (or anywhere else) if they don't have the cell phone to receive the MFA code?
0
masnrockCommented:
How can someone login from a TOR end point (or anywhere else) if they don't have the cell phone to receive the MFA code?
Are they logging in without MFA? And if so, have you checked to ensure that 1) MFA is set up for the user, 2) only a known device is set up to the account(s), and 3) that conditional access rules are in place to ensure that MFA must be used outside of your organization's public IPs?
0
mike2401Author Commented:
In Azure Active Directory, we have the users set as "Enforced".  We have 'white-listed' our office's IP so it doesn't keep asking for MFA when the user is in the office.

Is there some loop-hole I'm not thinking about?
0
btanExec ConsultantCommented:
May have to look at  conditional access policy. It set the access block or grant when anonymous IP is detected.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-sign-in-risk
0
mike2401Author Commented:
Here's the latest:

The user successfully logged in, app= "Office 365 Exchange Online", MFA skipped due to IP address being that of our office (Philadelphia)

One hour later, 3,000 miles away in California, a successful login is shown:  app= "IOS Accounts" , "MFA requirement satisfied by claim in the token".

WTF?

What does that mean?
0
mike2401Author Commented:
Thanks, everyone.

Turns out the user signed-up for Verizon's VPN protection for public WiFi spots ($3.99/month).

So, it wasn't a laptop VPN to our cisco vpn concentrator endpoint, but rather random endpoints around the country !!!
0
mike2401Author Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Tor

From novice to tech pro — start learning today.