One-time use codes keep arriving in my mailbox unsollicited

Question

Ever since 2017 I have been receiving e-mails from Microsoft with one-time use codes to log in to my account. Only about 10 of these ever were requested by myself, each time because I was at a location where I did not have access to my password manager. Starting 2023 I've been receiving more and more of these e-mails, up to where I'm now at 170+ e-mails and none of the 160 additional codes were requested by myself!

This number has been ramping up quickly, and yesterday I've once again received 5(!!) one-time use codes with which people would be able to get access in to my account.

Last year I've even contacted Microsoft Support directly about this. Azure Support forwarded me to the Customer Support team, and a lot of bouncing was going around. It took a number of months before someone was able to look with my at my screen, confirm the e-mails are genuine, and that I did not request them myself as far as they could see. The problem here is that they were only able to check some of the systems, and not all of them.

Please note: I'm using the same gmail address for both my personal use (Windows, 365, etc), and with Microsoft Azure.

Together with Microsoft Support I've disabled the one-time codes for the "personal use" part. So when I'm logging in to 365, or the account portal on https://account.live.com/Activity, I do not get the option for one-time codes to log in. The only option available for me is passwordless signin with a push notification, Windows Hello, or a recovery code.

>>> This makes me believe that it has to be coming from Microsoft Azure <<<

Now I'm using Azure only for some training and experiments, and the occasional free resource such as the CosmosDB. If someone does manage to breach my account this would cause only minor data loss, but the bigger problem for me would be the financial loss as my Credit Card is connected to my account. In the hypothetical situation that someone breaches my account and orders for tens, maybe hundreds of thousands worth of resources, Microsoft would just argue to my Credit Card company that "I" ordered this, and I would not be able to get a chargeback on this.

Because all of that, I'm trying to figure out how to better protect my Azure environment. I've already created a backup Global Admin account with a non-public e-mail address so that I would be able to log back in if I were to lose my password or such. However if they breach my Azure environment, they will most likely just remove any and all Global Administrator accounts to prevent me taking back my account.

Now as this is mostly a homelab environment, I do not have E3 or E5 for me as sole user, nor do I have the funds or requirements to get this.

If I go to the Azure Portal, Entra, Users, my account, Authentication methods, there are no listed MFA options and it tells me to go to https://myaccount.microsoft.com/ but when I do, I'm unable to log in there because it is a personal account, not a corporate one.

There are no connected devices, licenses or applications that would give someone access to my account.

Looking at the Sign-in logs, I can only see my own session, not any of the attempted logins for which I received the one-time codes.

Looking at the Audit logs, no results are shown.

The big questions:

• How do I stop receiving these e-mails, or more to the point, how do I prevent others from using this method to try and gain access to my account?
• How do I check/enable/reconfigure MFA for my "personal account" which I use for Azure login as I cannot access "MyAccount"?
• Is it possible to review security logs to see where these requests came from?
• Can I prevent logins from other countries without a way-too-expensive license?

Answer 1

Hi @Marcel van Rijzewijk

Thank you for reaching Microsoft Q&A forum!

I understand your concern about the security of your account and the potential financial risks.

To protect your personal account, you can add the different ways to sign in or verify. to do this use the https://account.live.com/proofs/manage/additional link you can see the list of authentications, from here see is there any unusual authentication is added, if so try to delete and also you can stop the email code alerts by disabling the Receive alerts.
once you remove the unnecessary authentication you can turn on the Two-step verification or you can add another way to sign in or verify like MFA and passkey. this way you can check and protect your personal account.

The other side, to protect your Azure environment for free you can enable the Security defaults in Microsoft Entra ID which is a free feature in Entra ID. This enables the MFA for all users in your tenant, this way you can protect your organization from identity-related attacks.

If you would like to block logins from specific countries or IP's of your azure identities you need paid licenses of Microsoft Entra ID P1 & P2 this will allow you to create the conditional access policy where it gives more security to your tenant.

To know about the usage and billing Set up billing alerts in Azure to notify you of any unusual spending.

By using the sig in logs, you can find the location details and IP address. for this log in to azure portal ->Microsoft Entra ID -> Sign-logs here you can find the multiple logs for your tenant under User sign-ins (interactive) find the user which you need and click location to find the details which as shown in the below picture.

Hope this helps. Do let us know if you any further queries by responding in the comments section.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.