Dec 16 2020
- last edited on
Jan 14 2022
Currently, I am trying to better understand Azure AD Identity Protection. To be honest, despite the documentation it is still not totally clear for me what is the difference between the "Risk detections" and the risky users and risky sign-igns within the Report blade. I thought that risk detection is a kind of summary of risky users and risky sign-ins. This opinion I had after I saw that a filter "Activity" is available that can filter by "users" and "Sign-ins" - but in that case all the detections disappear. That is why i was confused about the relationship between them.
A second thing that is not clear is if I really understood the concept of risky users & Risky sign-ins: Risky users are calculated as a consequence of detected sign-in risks?
The last thing is: When i get a "unfamiliar sign-in properties" risk, where I can see what actually was the reason to alert resp. what was the risk parameter the algorithm detected as unfamiliar?
Thank you in advance,
Dec 16 2020 03:37 PM
I would suggest you to have a look on the ignite session The science behind Azure Active Directory Identity Protection
This will answers a couple of questions that might not be included in the documentation for Identity Protection.
Dec 17 2020 12:12 AM
Hi @Pontus Själander ¨
Unfortunatley, it does not answer my questions. Can anyone give some more hints?
Dec 17 2020 11:12 AM