impossible travel exclude one user best practice

%3CLINGO-SUB%20id%3D%22lingo-sub-313622%22%20slang%3D%22en-US%22%3Eimpossible%20travel%20exclude%20one%20user%20best%20practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313622%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20want%20to%20exclude%20one%20user%20from%20impossible%20travel%20and%20are%20wanting%20to%20know%20the%20best%20way%20to%20do%20this%2C%20the%20recommended%20way%20so%20we%20do%20not%20go%20down%20the%20wrong%20path.%3C%2FP%3E%3CP%3EI%20was%20thinking%20make%20a%20group%20with%20all%20users%2C%20but%20then%20we%20would%20have%20to%20constantly%20keep%20updating%20that%20group%2C%20is%20there%20a%20rule%20that%20can%20be%20made%20to%20exclude%20just%20one%20person%20from%20it%20and%20enable%20it%20on%20the%20whole%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313804%22%20slang%3D%22en-US%22%3ERe%3A%20impossible%20travel%20exclude%20one%20user%20best%20practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313804%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESure!%20It%20is%20here%20if%20they%20are%20referring%20to%20excluding%20users%20from%20the%20Azure%20AD%20Risk%20Events%20policy%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-user-risk-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-user-risk-policy%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20pointing%20this%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%20Chris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313803%22%20slang%3D%22en-US%22%3ERe%3A%20impossible%20travel%20exclude%20one%20user%20best%20practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313803%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20the%20author%20is%20referring%20to%20the%20Azure%20AD%20Risk%20events%2C%20not%20necessarily%20the%20CAS%20rules.%20Although%20the%20information%20presented%20should%20be%20the%20same%2C%20the%20options%20we%20have%20to%20configure%20those%20differ.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313636%22%20slang%3D%22en-US%22%3ERe%3A%20impossible%20travel%20exclude%20one%20user%20best%20practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313636%22%20slang%3D%22en-US%22%3EHi%20Kasey170%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20per%20the%20following%20article%20you%20can%20exclude%20users%20on%20the%20detection%20policy.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fanomaly-detection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fanomaly-detection-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESelect%20Exclude%20to%20specify%20users%20for%20whom%20this%20policy%20won't%20apply.%20Any%20user%20selected%20here%20won't%20be%20considered%20a%20threat%20and%20won't%20generate%20an%20alert%2C%20even%20if%20they're%20members%20of%20groups%20selected%20under%20Include.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps%20and%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Occasional Visitor

We want to exclude one user from impossible travel and are wanting to know the best way to do this, the recommended way so we do not go down the wrong path.

I was thinking make a group with all users, but then we would have to constantly keep updating that group, is there a rule that can be made to exclude just one person from it and enable it on the whole account?

3 Replies
Hi Kasey170,

As per the following article you can exclude users on the detection policy.

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

Select Exclude to specify users for whom this policy won't apply. Any user selected here won't be considered a threat and won't generate an alert, even if they're members of groups selected under Include.

Hope that helps and answers your question!

Best, Chris

I believe the author is referring to the Azure AD Risk events, not necessarily the CAS rules. Although the information presented should be the same, the options we have to configure those differ.

Hi @Vasil Michev

 

Sure! It is here if they are referring to excluding users from the Azure AD Risk Events policy -

 

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-user-risk-policy

 

Thanks for pointing this out.

 

Best, Chris