Defender for Identity Radius Aad Syncer Disabling User Accounts - Not Sure Why?

K12SysAdmin 11 Reputation points
2024-12-17T17:23:47.1333333+00:00

We have users randomly getting disabled and the audit logs are showing that Radius Aad Syncer is the culprit.

The logs don't offer much more information so I'm not sure how to approach troubleshooting this, but a growing number of users are affected.

Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
230 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Maciej Maciejewski 0 Reputation points
    2024-12-20T11:13:58.6333333+00:00

    hey there!

    We had similiar situation lately. It turns out that Radius AAD syncer seems to be legitimate Microsoft Defender module that locks accounts on successful suspicious logins.


  2. Richard La Bella 0 Reputation points
    2024-12-23T18:48:43.4466667+00:00

    We're having the same issue. Does anyone know if this is configurable such that it can be disabled or adjusted?

    0 comments No comments

  3. K12SysAdmin 11 Reputation points
    2024-12-23T18:55:03.8833333+00:00

    Thanks for the info.

    I dug into Defender and found that the users in question had compromised credentials.

    It's ultimately doing what it should be doing and preventing further use from outside entities when the password is compromised, the logs just didn't do a good job of explaining why accounts were being locked and what service was causing them to lock.

    If you dig into the incidents & alerts area of Defender you will likely find the users you are looking for.

    As far as disabling the action, I'm not sure you'd want to, but you should be able to.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.