Home

When do Azure Risky Sign In events dissapear?

%3CLINGO-SUB%20id%3D%22lingo-sub-211261%22%20slang%3D%22en-US%22%3EWhen%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211261%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20the%20Risky%20Sign%20In%20events%20resolve%20themselves%20after%20a%20user%20changes%20his%20password%3F%20Kinda%20depends%20on%20the%20Event%20though.%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20on%20a%20script%20that%20checks%20the%20Risky%20Sign%20In%20events%20%26gt%3B%20e-mails%20the%20managers.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20the%20events%20to%20be%20resolved%20after%20the%20user%20made%20the%20right%20actions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20they%20disappear%2C%20or%20is%20it%20a%2030%20days%20timer%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-211261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260192%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260192%22%20slang%3D%22en-US%22%3EFinally%20found%20the%20answer%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-user-risk-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-user-risk-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20manually%20closes%20the%20event%2C%20lowering%20the%20risk%20value.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260183%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260183%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20does%20the%20%22Resolve%22%20button%20do%3F%26nbsp%3B%20I%20looked%20through%20the%20documentation%20and%20they%20give%20the%20button%20choices%2C%20but%20no%20description%20of%20function.%3C%2FP%3E%3CP%3EI%20don't%20mind%20the%20events%20being%20there%2C%20but%20showing%20an%20active%20connection%20that%20isn't%20is%20disconcerting%20to%20say%20the%20least.%26nbsp%3B%20I%20was%20hoping%20the%20Resolve%20function%20would%20reset%20it%20or%20something.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215654%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215654%22%20slang%3D%22en-US%22%3E%3CDIV%3Eremember%20that%20all%20collected%20data%20stored%20in%20Azure%20AD%20depended%20on%20your%20Azure%20AD%20edition%2C%20and%20for%20security%20signals%20its%20starts%20from%207%20days%20to%2090%20days.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215288%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215288%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20bad.%20I%20read%20that%20wrong.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215050%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215050%22%20slang%3D%22en-US%22%3E%3CP%3EI%20said%20they%20didn't%20clear.%20The%20risk%20associated%20with%20the%20user%20resets%2C%20but%20the%20events%20remain.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214763%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214763%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20that's%20not%20true.%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tested%20that%20and%20the%20events%20do%20not%20dissapear%20after%20a%20password%20reset.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214396%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214396%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20don't%20clear%2C%20but%20the%20risk%20is%20removed%20when%20a%20user%20changes%20their%20password%2C%20or%20when%20an%20admin%20dismissed%20the%20risk%20events.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-211359%22%20slang%3D%22en-US%22%3ERe%3A%20When%20do%20Azure%20Risky%20Sign%20In%20events%20dissapear%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211359%22%20slang%3D%22en-US%22%3E%3CP%3EDepends%20on%20the%20event.%20If%20you%20don't%20perform%20any%20action%2C%20you%20will%20see%20events%20from%20up%20to%2090%20days.%20And%20if%20you%20look%20over%20at%20the%20%22Users%20flagged%20for%20risk%22%20tab%2C%20you%20will%20find%20entries%20from%20year%20back%20or%20more.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Bas Wijdenes
Contributor

Hi all,

 

Do the Risky Sign In events resolve themselves after a user changes his password? Kinda depends on the Event though. 

I'm working on a script that checks the Risky Sign In events > e-mails the managers. 

I want the events to be resolved after the user made the right actions. 

 

Do they disappear, or is it a 30 days timer? 

8 Replies

Depends on the event. If you don't perform any action, you will see events from up to 90 days. And if you look over at the "Users flagged for risk" tab, you will find entries from year back or more.

They don't clear, but the risk is removed when a user changes their password, or when an admin dismissed the risk events.

No, that's not true. 

I've tested that and the events do not dissapear after a password reset.

I said they didn't clear. The risk associated with the user resets, but the events remain.

My bad. I read that wrong. 

 

Thank you ;)

remember that all collected data stored in Azure AD depended on your Azure AD edition, and for security signals its starts from 7 days to 90 days.

What does the "Resolve" button do?  I looked through the documentation and they give the button choices, but no description of function.

I don't mind the events being there, but showing an active connection that isn't is disconcerting to say the least.  I was hoping the Resolve function would reset it or something.

 

Finally found the answer: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-user-risk-policy

It manually closes the event, lowering the risk value.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies