Editing 'Risky sign-in' policy in Microsoft Defender for Cloud Apps

%3CLINGO-SUB%20id%3D%22lingo-sub-2990230%22%20slang%3D%22en-US%22%3EEditing%20'Risky%20sign-in'%20policy%20in%20Microsoft%20Defender%20for%20Cloud%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2990230%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%3C%2FP%3E%3CP%3EI%20wonder%20if%20I%20can%20edit%20the%26nbsp%3B'Risky%20sign-in'%20policy%20in%20Microsoft%20Defender%20for%20Cloud%20Apps%2C%20It%20looks%20like%20I%20can%20only%20edit%20the%20'%3CSPAN%3ETrigger%20alerts%20with%20a%20minimum%20severity%20of'%3C%2FSPAN%3E.%20I%20am%20trying%20to%20exclude%20certain%20IP%2C%20so%20I%20won't%20get%20alert%20when%20someone%20is%20logging%20in%20from%20it.%20I%20already%20added%20this%20IP%20to%20the%20whitelist%20option%20in%20'Tag%20as%20a%20Corporate%20IP%20and%20add%20to%20whitelist'%2C%20but%20I%20still%20get%20alerts%20when%20there%20is%20any%20activity%20from%20this%20IP.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ozh123_0-1637500784181.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328415i072FDE04AE2C9C5D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ozh123_0-1637500784181.png%22%20alt%3D%22ozh123_0-1637500784181.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2990230%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eanomaly%20detection%20policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Cloud%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Erisky%20sign%20in%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2993186%22%20slang%3D%22en-US%22%3ERe%3A%20Editing%20'Risky%20sign-in'%20policy%20in%20Microsoft%20Defender%20for%20Cloud%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2993186%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1225326%22%20target%3D%22_blank%22%3E%40ozh123%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3ERisky%20sign-in%20detections%20are%20ingested%20from%20Azure%20Identity%20Protection%20to%20MCAS%20(the%20reason%20can%20not%20add%20exclusions%20on%20this%20particular%20MCAS%20policy)%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marka01_0-1637591448591.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328554i0E8308334A2B47E1%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22marka01_0-1637591448591.png%22%20alt%3D%22marka01_0-1637591448591.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIn%20this%20case%20create%20a%20new%20trusted%20IP%20range%20in%20Azure%20IdP%20blade%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faad.portal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FNamedLocationsBlade%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faad.portal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FNamedLocationsBlade%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marka01_1-1637591919009.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328557i7EEAFD23FF171C95%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22marka01_1-1637591919009.png%22%20alt%3D%22marka01_1-1637591919009.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAlso%2C%20one%20more%20option%20to%20remove%20this%20IP%20from%20showing%20up%20in%20false%20positive%20alerts%20-%20whitelist%20and%20tag%20as%20VPN%20from%20MCAS%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marka01_2-1637592038256.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328559i9B7E79AE4CB2C120%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22marka01_2-1637592038256.png%22%20alt%3D%22marka01_2-1637592038256.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EType%20in%20IP%20and%20whatever%20tag%20name%20for%20your%20reference%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marka01_3-1637592142425.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328560i68EF48578D83E08D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22marka01_3-1637592142425.png%22%20alt%3D%22marka01_3-1637592142425.png%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20like%20this%20too%20much%20due%20to%20descriptive%20inaccuracy%20since%20those%20IPs%20I%20want%20to%20whitelist%20are%20not%20my%20companies%20VPNs%2C%20but%20seem%20to%20help%20in%20many%20cases%20not%20to%20show%20up%20in%20alerts%20anymore.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi Guys,

I wonder if I can edit the 'Risky sign-in' policy in Microsoft Defender for Cloud Apps, It looks like I can only edit the 'Trigger alerts with a minimum severity of'. I am trying to exclude certain IP, so I won't get alert when someone is logging in from it. I already added this IP to the whitelist option in 'Tag as a Corporate IP and add to whitelist', but I still get alerts when there is any activity from this IP.

ozh123_0-1637500784181.png

 

 

 

Thank you for your help.

1 Reply

@ozh123 ,

Risky sign-in detections are ingested from Azure Identity Protection to MCAS (the reason can not add exclusions on this particular MCAS policy):

marka01_0-1637591448591.png

In this case create a new trusted IP range in Azure IdP blade: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/NamedLocationsBlade

marka01_1-1637591919009.png

Also, one more option to remove this IP from showing up in false positive alerts - whitelist and tag as VPN from MCAS:

marka01_2-1637592038256.png

Type in IP and whatever tag name for your reference:

marka01_3-1637592142425.png 

I do not like this too much due to descriptive inaccuracy since those IPs I want to whitelist are not my companies VPNs, but seem to help in many cases not to show up in alerts anymore.