Check For Suspicious Account Sign-in Activity

View and search your recent sign-in activity from the My Sign-ins page

You can view all of your recent work or school account sign-in activity, from the My Sign-ins page of the My Account portal. Reviewing your sign-in history helps you to check for unusual activity by helping you to see:

• If someone is trying to guess your password.
• If an attacker successfully signed in to your account, and from what location.
• What apps the attacker tried to access.

View your recent sign-in activity

1. Sign in to your work or school account and then go to your https://myaccount.microsoft.com/ page.
2. Select My Sign-ins from the left navigation pane or select the Review recent activity link from the My sign-ins block.
3. Expand and review each of the sign-in items, making sure that you recognize each one. If you find a sign-in item that doesn’t look familiar, change your password to protect the account in case it’s compromised.

If you see a successful sign-in

Sometimes, while reviewing your own normal sign-in activity, you might see a successful sign-in from an unfamiliar location, browser, or operating system. Unfamiliar sign-ins can mean an attacker has gained access to your account. If you see activity that you didn’t authorize, we recommend you immediately change your password, and then go to Security info to update your security settings.

Before you determine something is incorrect, make sure you’re not seeing a false positive (where the item looks questionable, but is okay). For example, we determine your approximate location and map based on your IP address. Mobile networks are especially hard to pinpoint since they sometimes route traffic through distant locations. Even if you sign in using your mobile device in Washington state, the location might show the sign-in coming from California. We strongly suggest that you check details beyond just the location. Make sure the operating system, browser, and app all make sense, too.

If you see an unsuccessful sign-in

If you see an unsuccessful sign-in, with a note under Session activity that says, Additional verification failed, invalid code, it means that your primary authentication credentials succeeded, but multi-factor authentication failed. This condition could mean that an attacker correctly guessed your password but was unable to pass the multi-factor authentication challenge. We recommend that you still change your password, because the attacker might have that already, and go to the Security info page to update your security settings.

Search for specific sign-in activity

You can search your recent sign-in activity by any of the available information. For example, you can search for your recent sign-in activity by operating system, location, app, and so on.

1. On the Review recent activity page, type the information you want to search for into the Search bar. For example, type Unsuccessful to search for all unsuccessful sign-in activity collected by the My Account app.
2. Select the Search button to begin searching.

Confirm unusual activity

Sign-ins that are flagged as unusual activity can be confirmed in the tile for that activity in the My sign-ins page.

Related Articles

• View or manage your connected MFA devices.
• Source of this document: https://docs.microsoft.com/en-us/azure/active-directory/user-help/my-account-portal-sign-ins-page