When do Azure Risky Sign In events dissapear?

%3CLINGO-SUB%20id%3D%22lingo-sub-211261%22%20slang%3D%22en-US%22%3EWhen%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211261%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20the%20Risky%20Sign%20In%20events%20resolve%20themselves%20after%20a%20user%20changes%20his%20password%3F%20Kinda%20depends%20on%20the%20Event%20though.%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20on%20a%20script%20that%20checks%20the%20Risky%20Sign%20In%20events%20%26gt%3B%20e-mails%20the%20managers.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20the%20events%20to%20be%20resolved%20after%20the%20user%20made%20the%20right%20actions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20they%20disappear%2C%20or%20is%20it%20a%2030%20days%20timer%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-211261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260192%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260192%22%20slang%3D%22en-US%22%3EFinally%20found%20the%20answer%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-user-risk-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-user-risk-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20manually%20closes%20the%20event%2C%20lowering%20the%20risk%20value.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260183%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260183%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20does%20the%20%22Resolve%22%20button%20do%3F%26nbsp%3B%20I%20looked%20through%20the%20documentation%20and%20they%20give%20the%20button%20choices%2C%20but%20no%20description%20of%20function.%3C%2FP%3E%3CP%3EI%20don't%20mind%20the%20events%20being%20there%2C%20but%20showing%20an%20active%20connection%20that%20isn't%20is%20disconcerting%20to%20say%20the%20least.%26nbsp%3B%20I%20was%20hoping%20the%20Resolve%20function%20would%20reset%20it%20or%20something.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215654%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215654%22%20slang%3D%22en-US%22%3E%3CDIV%3Eremember%20that%20all%20collected%20data%20stored%20in%20Azure%20AD%20depended%20on%20your%20Azure%20AD%20edition%2C%20and%20for%20security%20signals%20its%20starts%20from%207%20days%20to%2090%20days.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215288%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215288%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20bad.%20I%20read%20that%20wrong.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215050%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215050%22%20slang%3D%22en-US%22%3E%3CP%3EI%20said%20they%20didn't%20clear.%20The%20risk%20associated%20with%20the%20user%20resets%2C%20but%20the%20events%20remain.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214763%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214763%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20that's%20not%20true.%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tested%20that%20and%20the%20events%20do%20not%20dissapear%20after%20a%20password%20reset.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214396%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214396%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20don't%20clear%2C%20but%20the%20risk%20is%20removed%20when%20a%20user%20changes%20their%20password%2C%20or%20when%20an%20admin%20dismissed%20the%20risk%20events.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-211359%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211359%22%20slang%3D%22en-US%22%3E%3CP%3EDepends%20on%20the%20event.%20If%20you%20don't%20perform%20any%20action%2C%20you%20will%20see%20events%20from%20up%20to%2090%20days.%20And%20if%20you%20look%20over%20at%20the%20%22Users%20flagged%20for%20risk%22%20tab%2C%20you%20will%20find%20entries%20from%20year%20back%20or%20more.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi all,

 

Do the Risky Sign In events resolve themselves after a user changes his password? Kinda depends on the Event though. 

I'm working on a script that checks the Risky Sign In events > e-mails the managers. 

I want the events to be resolved after the user made the right actions. 

 

Do they disappear, or is it a 30 days timer? 

8 Replies
Highlighted

Depends on the event. If you don't perform any action, you will see events from up to 90 days. And if you look over at the "Users flagged for risk" tab, you will find entries from year back or more.

Highlighted

They don't clear, but the risk is removed when a user changes their password, or when an admin dismissed the risk events.

Highlighted

No, that's not true. 

I've tested that and the events do not dissapear after a password reset.

Highlighted

I said they didn't clear. The risk associated with the user resets, but the events remain.

Highlighted

My bad. I read that wrong. 

 

Thank you ;)

Highlighted
remember that all collected data stored in Azure AD depended on your Azure AD edition, and for security signals its starts from 7 days to 90 days.
Highlighted

What does the "Resolve" button do?  I looked through the documentation and they give the button choices, but no description of function.

I don't mind the events being there, but showing an active connection that isn't is disconcerting to say the least.  I was hoping the Resolve function would reset it or something.

 

Highlighted
Finally found the answer: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-user-risk-policy

It manually closes the event, lowering the risk value.