How to use confirm sign in compromised/safe

Copper Contributor

It's really unclear how I should use these options in most typical circumstances. For instance, someone attempted to login as one of our users, from another state. It wasn't the user, but the login was not successful due to MFA. So, the login wasn't technically compromised - the threat actor did not gain access to our tenant. But it wasn't "Safe" either - it was not initiated by an authorized user. Unless it was safe because it wasn't compromised? This is confusing!


I cannot simply dismiss the instance; I must choose compromised or safe. So, which is it?

1 Reply
Did you figure this out in the end?

I'm in the same situation... The risky sign-in had failed, so there was no breach, but it wasn't a legit sign-in either.