Editing 'Risky sign-in' policy in Microsoft Defender for Cloud Apps

Copper Contributor

Hi Guys,

I wonder if I can edit the 'Risky sign-in' policy in Microsoft Defender for Cloud Apps, It looks like I can only edit the 'Trigger alerts with a minimum severity of'. I am trying to exclude certain IP, so I won't get alert when someone is logging in from it. I already added this IP to the whitelist option in 'Tag as a Corporate IP and add to whitelist', but I still get alerts when there is any activity from this IP.

ozh123_0-1637500784181.png

 

 

 

Thank you for your help.

2 Replies

@ozh123 ,

Risky sign-in detections are ingested from Azure Identity Protection to MCAS (the reason can not add exclusions on this particular MCAS policy):

marka01_0-1637591448591.png

In this case create a new trusted IP range in Azure IdP blade: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/NamedLocationsBlade

marka01_1-1637591919009.png

Also, one more option to remove this IP from showing up in false positive alerts - whitelist and tag as VPN from MCAS:

marka01_2-1637592038256.png

Type in IP and whatever tag name for your reference:

marka01_3-1637592142425.png 

I do not like this too much due to descriptive inaccuracy since those IPs I want to whitelist are not my companies VPNs, but seem to help in many cases not to show up in alerts anymore. 

 

 

@ozh123 Addressing unwarranted 'Risky sign-in' alerts in Microsoft Defender for Cloud Apps necessitates engaging with Azure Identity Protection to establish a trusted IP range. This step is critical because it directly influences the source of risk assessments, thereby potentially reducing alerts for whitelisted IPs. If alerts continue despite this measure, consider the alternative of tagging the IP as a VPN in Defender for Cloud Apps, albeit with caution due to possible inaccuracies.

 

These actions represent a focused approach to refining alert mechanisms and ensuring that they align with your network's actual security posture.