hey there!
We had similiar situation lately. It turns out that Radius AAD syncer seems to be legitimate Microsoft Defender module that locks accounts on successful suspicious logins.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have users randomly getting disabled and the audit logs are showing that Radius Aad Syncer is the culprit.
The logs don't offer much more information so I'm not sure how to approach troubleshooting this, but a growing number of users are affected.
hey there!
We had similiar situation lately. It turns out that Radius AAD syncer seems to be legitimate Microsoft Defender module that locks accounts on successful suspicious logins.
We're having the same issue. Does anyone know if this is configurable such that it can be disabled or adjusted?
Thanks for the info.
I dug into Defender and found that the users in question had compromised credentials.
It's ultimately doing what it should be doing and preventing further use from outside entities when the password is compromised, the logs just didn't do a good job of explaining why accounts were being locked and what service was causing them to lock.
If you dig into the incidents & alerts area of Defender you will likely find the users you are looking for.
As far as disabling the action, I'm not sure you'd want to, but you should be able to.