Forum Discussion
Anomalous Token & activity from Microsoft
Hi, I am trying to understand the following activity. I have had a few users in my organization flagged as a "Risky User" due to an anomalous token. This is normally supposed to flag if a use...
We get these all the time as well. Its not explained well. You will often times see these as non interactive, from an IP address they do not use but using the same registered device as usual. I believe some of this is related to the fact that using the IP address is not always a reliable means of determining fraudulent activity. I look at the device and then lookup the IP to see where its registered. Most times one of the hits is a mobile carrier. I then look at their interactive sign in history for anything that is off pattern. I then dismiss the user risk if I see nothing unusual. I wish this worked better because I think the risk user's function generates a lot of false positives and noise.