Editing 'Risky sign-in' policy in Microsoft Defender for Cloud Apps

Occasional Visitor

Hi Guys,

I wonder if I can edit the 'Risky sign-in' policy in Microsoft Defender for Cloud Apps, It looks like I can only edit the 'Trigger alerts with a minimum severity of'. I am trying to exclude certain IP, so I won't get alert when someone is logging in from it. I already added this IP to the whitelist option in 'Tag as a Corporate IP and add to whitelist', but I still get alerts when there is any activity from this IP.





Thank you for your help.

1 Reply

@ozh123 ,

Risky sign-in detections are ingested from Azure Identity Protection to MCAS (the reason can not add exclusions on this particular MCAS policy):


In this case create a new trusted IP range in Azure IdP blade: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/NamedLocationsBlade


Also, one more option to remove this IP from showing up in false positive alerts - whitelist and tag as VPN from MCAS:


Type in IP and whatever tag name for your reference:


I do not like this too much due to descriptive inaccuracy since those IPs I want to whitelist are not my companies VPNs, but seem to help in many cases not to show up in alerts anymore.