Product: ITDR
Environment: Microsoft 365
Summary: SOC Support can now be contacted directly from 

Microsoft Login Alert Not Appearing in Huntress or Microsoft 365

Overview: Has an end user reached out with a sign-in alert from Microsoft, but upon further investigation, you aren’t seeing the login in Microsoft 365 signin logs or the Huntress dashboard? You may be dealing with an alert from a personal Microsoft account. Follow along below to confirm. 
 

1. To determine whether an alert pertains to a personal Microsoft account or an account within the tenant, the initial step is to examine the alert itself. Here is an example of what the email for a personal Microsoft account alert will look like.
   
    
    
   1. You will see that the alert is sent to the end user and not a security admin. This is the first tell-tale.
   2. This template shown above is also only ever used for a personal Microsoft account and wouldn’t normally be received by a security admin.

2. The next step in confirmation is attempting a login to portal.office.com with the email address in question. If a personal Microsoft account is in use, you will be given the option to log into either work or personal. 
   
   
    
   1. As shown in the screenshot, we see two login options when logging into portal.office.com.

3. Finally, to confirm this is where the alert originated from, you will want the end user to sign into their personal account. Once signed in, navigate to the account activity section to review the sign-ins. If the event was from the personal Microsoft account, it will be displayed here and match what was shown on the email alert.
   1. Here are further details from Microsoft on reviewing account activity. 
       

Remediation

Should an alert trace back to a personal Microsoft account, recommend the user change their password immediately and confirm that multi-factor authentication is enabled.