Sep 10 2020
- last edited on
Jan 14 2022
Under User Sign-in events, one of the user has multiple sign-in attempt from 4 different countries. 2 countries was successful, another 2 failed. All happened within the same day.
Shouldn't that generate a record under "Risky Sign-in" or "Risky Users". There is no entry triggered for this user.
On what logic do the Azure AD consider the attempt as "Risky Sign-ins/User". Will "failure" attempt from another countries trigger risky record?
Sep 10 2020 11:39 AM
Hi, do you have Azure AD Premium P2 licensing please? You will need this in order for these features of Identity Protection to work. This is also included in EM+S E5 and M365 E5
Sep 11 2020 01:05 AM
Yes, I do have the license for that. Hence i noticed the inconsistency. Some user did triggered Risky Sign-ins/User records, but in the case where i highlighted; it did not.
So was trying to understand the "logic/conditions" used in backend to monitor such scenario.
Sep 11 2020 03:17 AMSolution
@cllee Hi, I suppose this could explain what you've experienced? At least we did some testing and could only trigger it when it looked as the sign-in location/country was unfamiliar.
"The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior."
Sep 12 2020 04:17 AM
@ChristianBergstrom Good shout my friend. I really didn't read this post correctly.
Sep 12 2020 06:44 AM