cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Identity Protection - Clarity about the report options

GlavniArhivator
Copper Contributor

‎Dec 16 2020 05:11 AM - last edited on ‎Jan 14 2022 04:26 PM by

‎Dec 16 2020 05:11 AM - last edited on ‎Jan 14 2022 04:26 PM by

Azure Identity Protection - Clarity about the report options

Hi everyone

 

Currently, I am trying to better understand Azure AD Identity Protection. To be honest, despite the documentation it is still not totally clear for me what is the difference between the "Risk detections" and the risky users and risky sign-igns within the Report blade. I thought that risk detection is a kind of summary of risky users and risky sign-ins. This opinion I had after I saw that a filter "Activity" is available that can filter by "users" and "Sign-ins" - but in that case all the detections disappear. That is why i was confused about the relationship between them.

 

A second thing that is not clear is if I really understood the concept of risky users & Risky sign-ins: Risky users are calculated as a consequence of detected sign-in risks? 

 

The last thing is: When i get a "unfamiliar sign-in properties" risk, where I can see what actually was the reason to alert resp. what was the risk parameter the algorithm detected as unfamiliar?

 

Thank you in advance,
Cheers

1,272 Views
1 Like
3 Replies
Reply
3 Replies
Pontus Själander

‎Dec 16 2020 03:37 PM

‎Dec 16 2020 03:37 PM

Re: Azure Identity Protection - Clarity about the report options

@GlavniArhivator 
I would suggest you to have a look on the ignite session The science behind Azure Active Directory Identity Protection
This will answers a couple of questions that might not be included in the documentation for Identity Protection.

0 Likes
Reply
GlavniArhivator

‎Dec 17 2020 12:12 AM

‎Dec 17 2020 12:12 AM

Re: Azure Identity Protection - Clarity about the report options

Hi @Pontus Själander ¨

 

Unfortunatley, it does not answer my questions. Can anyone give some more hints?

 

Thanks

0 Likes
Reply
Thijs Lecomte

‎Dec 17 2020 11:12 AM

‎Dec 17 2020 11:12 AM

Re: Azure Identity Protection - Clarity about the report options

A risk detection is when a user does something risky. Like logging in from a 'Malware Linked IP'. The moment the user logs in from a malware linked IP, this will be a risky sign-in. The reason for this risky sign-in will be the risk detection will be 'Malware linked IP'.
A sign-in can have a score (low/medium/high), but a user can also have risk score. These are calculated from the multiple risky signins (simply put 2 low sign-ins create a medium risky user). A admin can also confirm a user as confirmed, then the user risk is also increased.

For the unfamiliar sign-ins: Microsoft does not publish why the alert is exactly triggered. Most of the time this is because of a new IP or new device. So these are the two things I look into.
1 Like
Reply