Although multi-factor authentication (MFA) has become the norm, attacks likeBrute Force(Brute Force) andPassword Spraying(password spraying) continue to saturate enterprise security logs. Cybercriminals deploy automated botnets to test thousands of password combinations on Microsoft Entra ID (Azure AD) accounts exposed across the Internet.
The attacker's objective? Find an account where MFA was misconfigured, a forgotten service account, or simply flood the legitimate user with MFA notifications (MFA Fatigue) until they validate access out of fatigue. Faced with this noisy threat, the SOC must be able to detect the attempt, quickly qualify it and lock the target account.
How does Entra ID Protection detect brute force?
Microsoft Entra ID Protection features advanced heuristic detection algorithms. It doesn't just count the number of failed logins. He analyzes the context:
- Has the original IP address been associated with malicious behavior in the past (Microsoft Threat Intelligence)?
- Do the attempts target a single account (classic Brute Force) or several company accounts with the same current password (Password Spraying)?
- Does the format of the authentication attempt use legacy authentication protocols often exploited by hackers because they do not support MFA?
As soon as the algorithm confirms the attack, it assigns arisk levelto the targeted user (Low, Medium, or High).
Centralization and qualification with Akuity SOC
For a system administrator, monitoring the Entra ID portal constantly to spot these risk elevations is time-consuming. The Akuity SOC orchestrator brings together all these critical events in the tab“Identities at risk”.
When an account experiences a sustained brute force attack, it immediately appears in the list. But blocking an account at the first login failure is counterproductive. The attack must be qualified.
Weak Signal Analysis (JIT)
With Akuity's Just-In-Time (JIT) analysis, the analyst clicks the magnifying glass icon to query Microsoft Graph. The side panel reveals whether the risk comes from a simple repeated typing error by the employee or whether it is an anonymized IP address linked to a hacking network. If the Gemini AI (built into the analyst notes) identifies the IP as a known spam source on AlienVault OTX, the threat is confirmed.
Remediation: Block by “Compromise” status
When a brute force attack is poised to succeed (for example, if the attacker has found the correct password but is blocked by the MFA request they are trying to bypass), the SOC team must intervene firmly.
Rather than deleting the account or changing the password manually (which does not necessarily stop the attacker's scripts), the best practice is to use the API actionconfirmUserCompromised(Confirmation of compromise).
What the “Confirm Compromised” action does
Accessible in one secure click (MFA AAL2) from the Akuity cockpit, this action sends a strong signal to Microsoft Entra ID: “The security team certifies that this account is under severe attack or hacked”.
This official status allows you to automatically trigger your defensive shields:Conditional Access Policies.
If you have configured a rule stating thatall counts with “High” user risksees its access blocked, the action triggered via Akuity will instantly close all doors to the attacker. Connection attempts from the malicious IP will be rejected at the first stage, protecting the infrastructure while maintaining a clean audit trail in the application's JSON SOC 2 logs.
Conclusion: Turn noise into action
Brute force attacks generate a lot of background noise and can mask more targeted intrusions. By using a unified interface to monitor at-risk identities and leveraging Entra ID Protection APIs to quickly confirm compromise, you stop the attack in a systemic and automated manner.
Protect your cloud identities from malicious automation.> Learn how to block brute force attacks with our moduleIdentity Management at Risk Entra IDwith just one click.