Hi Guys,
I wonder if I can edit the 'Risky sign-in' policy in Microsoft Defender for Cloud Apps, It looks like I can only edit the 'Trigger alerts with a minimum severity of'. I am trying to exclude certain IP, so I won't get alert when someone is logging in from it. I already added this IP to the whitelist option in 'Tag as a Corporate IP and add to whitelist', but I still get alerts when there is any activity from this IP.
Thank you for your help.
@ozh123 ,
Risky sign-in detections are ingested from Azure Identity Protection to MCAS (the reason can not add exclusions on this particular MCAS policy):
In this case create a new trusted IP range in Azure IdP blade: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/NamedLocationsBlade
Also, one more option to remove this IP from showing up in false positive alerts - whitelist and tag as VPN from MCAS:
Type in IP and whatever tag name for your reference:
I do not like this too much due to descriptive inaccuracy since those IPs I want to whitelist are not my companies VPNs, but seem to help in many cases not to show up in alerts anymore.