Forum Discussion
When do Azure Risky Sign In events dissapear?
Hi all,
Do the Risky Sign In events resolve themselves after a user changes his password? Kinda depends on the Event though.
I'm working on a script that checks the Risky Sign In events > e-mails the managers.
I want the events to be resolved after the user made the right actions.
Do they disappear, or is it a 30 days timer?
What does the "Resolve" button do? I looked through the documentation and they give the button choices, but no description of function.
I don't mind the events being there, but showing an active connection that isn't is disconcerting to say the least. I was hoping the Resolve function would reset it or something.
- Finally found the answer: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-user-risk-policy
It manually closes the event, lowering the risk value.
Depends on the event. If you don't perform any action, you will see events from up to 90 days. And if you look over at the "Users flagged for risk" tab, you will find entries from year back or more.
They don't clear, but the risk is removed when a user changes their password, or when an admin dismissed the risk events.
No, that's not true.
I've tested that and the events do not dissapear after a password reset.
