SOLVED

Azure AD Risky User question

%3CLINGO-SUB%20id%3D%22lingo-sub-1511215%22%20slang%3D%22en-US%22%3EAzure%20AD%20Risky%20User%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1511215%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Tech%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20already%20try%20to%20find%20this%20out%20on%20the%20internet%2C%20but%20I%20don't%20get%20it%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESometimes%20in%20our%20tenant%20we%20run%20into%20some%20risky%20users%2C%20with%20risky%20sign-ins.%20Do%20I%20need%20to%20set%20those%20users%20on%20%22dismiss%20user%20risk%22%20or%20%22confirm%20user%20compromised%22%2C%20if%20the%20loggin%20is%20legit%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20look%20on%20this%20.doc%20site%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-risk-feedback%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-risk-feedback%3C%2FA%3E%20I%20cannot%20find%20my%20answer%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20thing%2C%20If%20I%20select%20the%20Risk%20State%20on%20dismissed%20in%20the%20filter%2C%20I%20see%20many%20dismissed%20with%20actor%20Azure%20AD.%20Will%20Azure%20AD%20automatic%20dismissed%20some%20risky%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERicardo%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1511215%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Identity%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1512553%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Risky%20User%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1512553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319272%22%20target%3D%22_blank%22%3E%40R1cardo92%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20certain%20that%20the%20sign%20in%20is%20genuine%2C%20and%20effectively%20a%20false%20positive%2C%20then%20yes%20you%20may%20go%20ahead%20and%20choose%20to%26nbsp%3B%3CSTRONG%3EDismiss%20User%20Risk.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERisk%20policies%20can%20be%20configured%20to%20apply%20automatic%20remediation%2C%20so%20maybe%20this%20is%20what%20you%20are%20seeing%20here%20with%20the%20many%20dismissed%20risks%20you%20are%20seeing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1513806%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Risky%20User%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1513806%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3EThank%20for%20your%20reply!%20I%20go%20ahead%20and%20play%20with%20this%20in%20my%20demo%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi Tech community,

 

I already try to find this out on the internet, but I don't get it yet.

 

Sometimes in our tenant we run into some risky users, with risky sign-ins. Do I need to set those users on "dismiss user risk", if the loggin is legit? Another thing, If I select the Risk State on dismissed in the filter, I see many dismissed with actor Azure AD. Will Azure AD automatic dismissed some risky users?

 

When I look on this .doc site https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protectio... I cannot find my answer there.

 

 

 

Regards,

 

Ricardo

2 Replies
Highlighted
Best Response confirmed by Ricardo92 (Occasional Contributor)
Solution

@Ricardo92 

 

If you are certain that the sign in is genuine, and effectively a false positive, then yes you may go ahead and choose to Dismiss User Risk.

 

Risk policies can be configured to apply automatic remediation, so maybe this is what you are seeing here with the many dismissed risks you are seeing?

Highlighted

@PeterRisingThank for your reply! I go ahead and play with this in my demo tenant.