On Microsoft account notifications and the activity history page

Some time ago, I wrote a post that announced the availability of the account activity history page (which I will call for short “activity page”). Today I want to discuss the use of the activity page in relation to the notification messages we send for security challenges issued by our compromise detection algorithms.

Security challenges are actually triggered in two situations:

  1. when we regularly require a second factor for authentication (as in the case of accessing the activity page itself or when having two factor authentication enabled on an account)
  2. when our compromise detection algorithms trigger such a challenge.

There is no notification sent in the first scenario (because there is nothing unexpected about the challenge), but in the second case we always send notifications to the communication channels associated with the account. Also note that security challenges can only happen for accounts that are associated with a phone number or another email address, otherwise there is no way of solving them.

The notifications we send let the account owner know what is going on with their account and direct them to the activity page for confirming or denying the legitimacy of the authentication attempts that received the security challenge. The account owner can then use the “This was me” button to confirm the legitimacy of the authentication or they can select “This wasn’t me” to indicate that the attempt to authenticate was not theirs. If the authentication attempt was not legitimate, it means that whoever made it knew the correct password for the account, so when the account owner selects “This wasn’t me“, we will ask them to first change their password and then to verify the integrity of the security information associated with the account.

There is one special case: for some non-interactive interfaces or older devices, we cannot actually issue security challenges at all (there is no user interface for solving them). If two factor authentication is enabled for the account, an app password would have to be used in such scenario (learn how to generate one here). Otherwise we will simply block the authentication request and, in the case of compromise detection, we will also send notification messages.

So if you ever receive a notification message mentioning unusual activity and asking you to visit the activity page, our compromise detection algorithms are the reason for that.

Some takeaways that may come in handy:

  • Not all security challenges are due to unusual activity. You should only be concerned about those for which you also receive a notification. (I will also look into having the activity page description updated to reflect this)
  • If you have some problem with connecting from some old device, check your email for a notification and then use the “This was me” option on the activity page to unblock that device.
  • Keep in mind that if you connect from a mobile device, your service provider may occasionally redirect you through a different network and this may trigger notifications of unusual activity. Marking the device as familiar would eliminate this issue (this is an option given during the security challenge).
  • If you are sure that the challenged authentication was not initiated by you, then use “This wasn’t me” to indicate that. The drawback to selecting this option unnecessarily is that you will have to change your password.


Comments (4)

  1. Med Bouchenafa says:

    One feature, I'd love to have is possibility to block connection coming from a mac address

    This can be very useful when your device is lost or stollen

  2. For a stolen device, the best response would be to just change your account password – the stolen device won't be able to login with the old credentials.

    Being able to block MAC addresses can be useful and I passed your suggestion to the team, but even after blocking the MAC address of a stolen device, I'd still recommend changing the account password to go by the "defense in depth" principle.

  3. jamesLodge nr manchester says:

    I lost  a  laptop last yr  and  the  mac address isnt  blocked , the  laptop did contain some  auto log ins ,  I have changed all security  tha t is  personal .

    however  I now  find  that  a person is logging  in and  have  via  my microsoft  account  a  full track of their travels and log ins  ,  will soon be  feeling  there collar  via   the  police  lol. They cannot  access my account security but it  tracks them. They cannot receive the  account  open code sent to my mobile .

    did this years  ago and  tracked  a burgular house  breaker  who used  a  capped mobile to ring  his  mates  lol

  4. @jamesLodge: So you left the account password unchanged so they can still login and you can track them, but you removed anything personal from the account. Nice! Hope you catch them! Thanks for sharing your story and let us know when you manage to catch them.

Skip to main content