Hi team,
As you know, there are many noise alerts in MS risky detections, which take from us a lot of time and effort for investigations.
There is an easy way to tune that out, which is checking the device ID - which is mainly whatever the device used in this suspicious login was MS managed and registered device or not.
In case it was (already owned and managed by MS Azure), most probably this would be legitimate (because it is hard for the attacker to steal the user's laptop or mobile + password + MFA)
Otherwise, the used device was not MS registered, and thus we would continue further investigation.
As an example of this, is login with correlation ID: d1afe59f-9717-4ee4-ab10-ab609d6fd024, and the Device ID was c9aa3175-62a2-46b3-8209-3fbd9c57ffdd
Currently this important field is not directly seen in neither MS Azure portal (e.g. risky detections), or from MS Graph API, so plz add in the future.
That will help us to manually (from the GUI, only filter on logins with Device ID is null), or automatically (call the MS Graph API, and filter on this field) do our work effectively (i have a MS case: 30945856).
Thanks
Ahmad Osman