When do Azure Risky Sign In events dissapear?


Hi all,


Do the Risky Sign In events resolve themselves after a user changes his password? Kinda depends on the Event though. 

I'm working on a script that checks the Risky Sign In events > e-mails the managers. 

I want the events to be resolved after the user made the right actions. 


Do they disappear, or is it a 30 days timer? 

8 Replies

Depends on the event. If you don't perform any action, you will see events from up to 90 days. And if you look over at the "Users flagged for risk" tab, you will find entries from year back or more.

They don't clear, but the risk is removed when a user changes their password, or when an admin dismissed the risk events.

No, that's not true. 

I've tested that and the events do not dissapear after a password reset.

I said they didn't clear. The risk associated with the user resets, but the events remain.

My bad. I read that wrong. 


Thank you ;)

remember that all collected data stored in Azure AD depended on your Azure AD edition, and for security signals its starts from 7 days to 90 days.

What does the "Resolve" button do?  I looked through the documentation and they give the button choices, but no description of function.

I don't mind the events being there, but showing an active connection that isn't is disconcerting to say the least.  I was hoping the Resolve function would reset it or something.


Finally found the answer: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-user-risk-policy

It manually closes the event, lowering the risk value.