Forum Discussion
Multiple Sign-ins attempt not triggering Risky User/Sign-ins
Hi,
Under User Sign-in events, one of the user has multiple sign-in attempt from 4 different countries. 2 countries was successful, another 2 failed. All happened within the same day.
Shouldn't that generate a record under "Risky Sign-in" or "Risky Users". There is no entry triggered for this user.
On what logic do the Azure AD consider the attempt as "Risky Sign-ins/User". Will "failure" attempt from another countries trigger risky record?
Thanks.
cllee Hi, I suppose this could explain what you've experienced? At least we did some testing and could only trigger it when it looked as the sign-in location/country was unfamiliar.
'Atypical travel'
"The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior."
'Sign-in risk'
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk
Hi, do you have Azure AD Premium P2 licensing please? You will need this in order for these features of Identity Protection to work. This is also included in EM+S E5 and M365 E5
- clleeBrass Contributor
Yes, I do have the license for that. Hence i noticed the inconsistency. Some user did triggered Risky Sign-ins/User records, but in the case where i highlighted; it did not.
So was trying to understand the "logic/conditions" used in backend to monitor such scenario.- ChristianBergstromSilver Contributor
cllee Hi, I suppose this could explain what you've experienced? At least we did some testing and could only trigger it when it looked as the sign-in location/country was unfamiliar.
'Atypical travel'
"The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior."
'Sign-in risk'
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk