Environment
Microsoft 365
Issue
I received an email with a single-use code to log in to Microsoft, but I did not request one. What do I do?
Resolution
Single-use codes are not generated for accounts in the U-M Microsoft 365 tenant. If you receive an email for a single-use code to your U-M email address, it is associated with an external (non-UM) personal Microsoft account.
- You may receive emails with single-use codes to sign into a personal Microsoft account if your U-M email is used as a) the primary account address or b) a recovery address for the external account. If you are unsure whether you have a personal Microsoft account associated with your U-M email, you can check and update the email address associated with that account.
- Again, the ITS-managed U-M Microsoft 365 tenant cannot utilize the single-use code sign-in workflow, so these emails are not related to your U-M Microsoft 365 account.
- If your U-M email address is the recovery address for the external account, the verification email ("Your single-use code") may be sent directly to the account's associated recovery email, and not necessarily the primary Microsoft account's email. (E.g., logging into microsoftperson@live.com may route the code to its recovery email, uniqname@umich.edu instead.)
- These emails are not multi-factor authentication (MFA) codes you'd typically receive after a successful password entry. These emails allow you to sign in without a password if the code is entered successfully.
- Since single-use codes are sent instead of using your password to log in, code requests do not automatically indicate that the account was accessed.
- If you withhold the code (and don't use it), the attempt will not register as a successful or failed login. As a result, no entry will appear in your account's security activity log, leaving you with no visibility into the attempt.
- Oftentimes, when this email is received without you triggering it, your personal Microsoft account may have been involved in a leak, and threat actors are brute-forcing this passwordless sign-in method in hopes of gaining access to the account.
- You can add aliases to your personal Microsoft account that are exclusive to logging in to it, which can help mitigate these requests. More information on this process is available at the following Microsoft Support resources:
- Additionally, depending on your personal Microsoft account configuration, you may also receive unsolicited Microsoft Authenticator prompts if you've enabled MFA for your personal account. It's a different version of the same brute-force technique (known as a "multi-factor authentication scam") and should be ignored.
You should never enter/share authentication information or click on links to log in to an account if you did not request it. Refer to the ITS Safe Computing Site for more information on how to spot phishing and scams.
As a reminder, ITS does not provide any support for external (non-UM) personal Microsoft accounts. However, we recommend updating your personal account's password and enabling multi-factor authentication using https://account.microsoft.com to ensure your personal account is kept secure.
Additional Information
Screenshots of the associated email are attached to this article.
Need additional information or assistance? Contact the ITS Service Center.