SOLVED

Multiple Sign-ins attempt not triggering Risky User/Sign-ins

%3CLINGO-SUB%20id%3D%22lingo-sub-1652852%22%20slang%3D%22en-US%22%3EMultiple%20Sign-ins%20attempt%20not%20triggering%20Risky%20User%2FSign-ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1652852%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EUnder%20User%20Sign-in%20events%2C%20one%20of%20the%20user%20has%20multiple%20sign-in%20attempt%20from%204%20different%20countries.%202%20countries%20was%20successful%2C%20another%202%20failed.%20All%20happened%20within%20the%20same%20day.%3CBR%20%2F%3E%3CBR%20%2F%3EShouldn't%20that%20generate%20a%20record%20under%20%22Risky%20Sign-in%22%20or%20%22Risky%20Users%22.%20There%20is%20no%20entry%20triggered%20for%20this%20user.%3CBR%20%2F%3E%3CBR%20%2F%3EOn%20what%20logic%20do%20the%20Azure%20AD%20consider%20the%20attempt%20as%20%22Risky%20Sign-ins%2FUser%22.%20Will%20%22failure%22%20attempt%20from%20another%20countries%20trigger%20risky%20record%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1652852%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1654602%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Sign-ins%20attempt%20not%20triggering%20Risky%20User%2FSign-ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1654602%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20do%20you%20have%20Azure%20AD%20Premium%20P2%20licensing%20please%3F%26nbsp%3B%20You%20will%20need%20this%20in%20order%20for%20these%20features%20of%20Identity%20Protection%20to%20work.%26nbsp%3B%20This%20is%20also%20included%20in%20EM%2BS%20E5%20and%20M365%20E5%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1656684%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Sign-ins%20attempt%20not%20triggering%20Risky%20User%2FSign-ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1656684%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%26nbsp%3BHi%2C%20I%20suppose%20this%20could%20explain%20what%20you've%20experienced%3F%20At%20least%20we%20did%20some%20testing%20and%20could%20only%20trigger%20it%20when%20it%20looked%20as%20the%20sign-in%20location%2Fcountry%20was%20unfamiliar.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E'Atypical%20travel'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22The%20algorithm%20ignores%20obvious%20%22false%20positives%22%20contributing%20to%20the%20impossible%20travel%20conditions%2C%20such%20as%20VPNs%20and%20locations%20regularly%20used%20by%20other%20users%20in%20the%20organization.%20The%20system%20has%20an%20initial%20learning%20period%20of%20the%20earliest%20of%2014%20days%20or%2010%20logins%2C%20during%20which%20it%20learns%20a%20new%20user's%20sign-in%20behavior.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E'Sign-in%20risk'%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fconcept-identity-protection-risks%23sign-in-risk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fconcept-identity-protection-risks%23sign-in-risk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

Under User Sign-in events, one of the user has multiple sign-in attempt from 4 different countries. 2 countries was successful, another 2 failed. All happened within the same day.

Shouldn't that generate a record under "Risky Sign-in" or "Risky Users". There is no entry triggered for this user.

On what logic do the Azure AD consider the attempt as "Risky Sign-ins/User". Will "failure" attempt from another countries trigger risky record?

Thanks.

5 Replies
Highlighted

@cllee 

 

Hi, do you have Azure AD Premium P2 licensing please?  You will need this in order for these features of Identity Protection to work.  This is also included in EM+S E5 and M365 E5

Highlighted

@PeterRising 

 

Yes, I do have the license for that. Hence i noticed the inconsistency. Some user did triggered Risky Sign-ins/User records, but in the case where i highlighted; it did not.

So was trying to understand the "logic/conditions" used in backend to monitor such scenario.

Highlighted
Best Response confirmed by cllee (Contributor)
Solution

@cllee Hi, I suppose this could explain what you've experienced? At least we did some testing and could only trigger it when it looked as the sign-in location/country was unfamiliar.

 

'Atypical travel'

 

"The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior."

 

'Sign-in risk'
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protect... 

Highlighted

@bec064 Good shout my friend.  I really didn't read this post correctly.  

Highlighted

@bec064 @PeterRising 

Thanks for your input. I guess this is the reason "The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior".