SOLVED
Home

Users flagged for risk - Azure AD Identity Protection

%3CLINGO-SUB%20id%3D%22lingo-sub-216397%22%20slang%3D%22en-US%22%3EUsers%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216397%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20new%20to%20the%20%3CSPAN%3EAzure%20AD%20Identity%20Protection%3C%2FSPAN%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20get%20the%20email%20for%26nbsp%3BAzure%20AD%20Identity%20Protection%20Weekly%20Digest.%20So%20my%20user%20visits%20Canada%20and%20I%20get%20the%20alert%20and%20I%20know%20he%20is%20in%20Canada%2C%20I%20have%20confirm%20it%20with%20him%20and%20his%20Admin.%20Under%20details%2C%20do%20I%20mark%20%3CSTRONG%3EResolve%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EMark%20as%20false%20positive.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20believe%20it%20should%20be%20%3CSTRONG%3Emark%20as%20false%26nbsp%3B%3CSPAN%3Epositive%3C%2FSPAN%3E%3C%2FSTRONG%3E%20so%20yes%20the%20person%20did%20visit%20this%20location.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20confirm%20if%20I%20am%20correct%2C%20thanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-216397%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-216515%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216515%22%20slang%3D%22en-US%22%3EThanks!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-216413%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216413%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20agree%20with%20you%20that%20this%20would%20be%20considered%20a%20false%20positive%20if%20the%20user%20did%20visit%20the%20country%20noted.%26nbsp%3B%20I%20would%20suggest%20using%20%22Resolved%22%20if%2C%20for%20example%2C%20you%20found%20that%20he%20did%20not%20visit%20the%20country%20so%20you%20reset%20the%20password%20on%20the%20account%20and%20investigated%20the%20event%20further.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-655228%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-655228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F157733%22%20target%3D%22_blank%22%3E%40Jerry%20Gonzalez%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20a%20little%20bit%20late%2C%20but%20i%20think%20this%20could%20help%20others%3A%3C%2FP%3E%3CP%3EYou%20can%20read%20about%20this%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-close-active-risk-events%23close-individual-risk-events-manually%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-close-active-risk-events%23close-individual-risk-events-manually%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20in%20your%20case%20(travel%20to%20canada)%20the%20best%20option%20would%20have%20been%20%22Resolve%22%20or%20%22Ignore%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3E%3CSTRONG%3EResolve%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20If%20after%20investigating%20a%20risk%20event%2C%20you%20took%20an%20appropriate%20remediation%20action%20outside%20Identity%20Protection%2C%20and%20you%20believe%20that%20the%20risk%20event%20should%20be%20considered%20closed%2C%20mark%20the%20event%20as%20Resolved.%20Resolved%20events%20will%20set%20the%20risk%20event%E2%80%99s%20status%20to%20Closed%20and%20the%20risk%20event%20will%20no%20longer%20contribute%20to%20user%20risk.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EMark%20as%20false-positive%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20In%20some%20cases%2C%20you%20may%20investigate%20a%20risk%20event%20and%20discover%20that%20it%20was%20incorrectly%20flagged%20as%20a%20risky.%20You%20can%20help%20reduce%20the%20number%20of%20such%20occurrences%20by%20marking%20the%20risk%20event%20as%20False-positive.%20This%20will%20help%20the%20machine%20learning%20algorithms%20to%20improve%20the%20classification%20of%20similar%20events%20in%20the%20future.%20The%20status%20of%20false-positive%20events%20is%20to%20Closed%20and%20they%20will%20no%20longer%20contribute%20to%20user%20risk.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EIgnore%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20If%20you%20have%20not%20taken%20any%20remediation%20action%2C%20but%20want%20the%20risk%20event%20to%20be%20removed%20from%20the%20active%20list%2C%20you%20can%20mark%20a%20risk%20event%20Ignore%20and%20the%20event%20status%20will%20be%20Closed.%20Ignored%20events%20do%20not%20contribute%20to%20user%20risk.%20This%20option%20should%20only%20be%20used%20under%20unusual%20circumstances.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EReactivate%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20Risk%20events%20that%20were%20manually%20closed%20(by%20choosing%20Resolve%2C%20False%20positive%2C%20or%20Ignore)%20can%20be%20reactivated%2C%20setting%20the%20event%20status%20back%20to%20Active.%20Reactivated%20risk%20events%20contribute%20to%20the%20user%20risk%20level%20calculation.%20Risk%20events%20closed%20through%20remediation%20(such%20as%20a%20secure%20password%20reset)%20cannot%20be%20reactivated.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-658718%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-658718%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20link.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-660634%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-660634%22%20slang%3D%22en-US%22%3E%3CP%3EShort%20question.%20by%20default%20are%20there%20any%20User%20Risk%20oder%20Identity%20Risk%20Policies%20activated%20which%20act%20by%20default%3F%20As%20example%20block%20the%20sign%20in%20or%20something%20which%20creates%20an%20impact.%20IM%20asking%20before%20we%20add%20Licenses%20to%20our%20Contract%20to%20know%20if%20i%20have%20to%20configure%20something%20before.%20Because%20our%20Users%20are%20highly%20traveling%20around%20the%20world%20and%20i%20dont%20want%20to%20have%20any%20impact%20because%20of%20a%20false%20detection%2C%20dont%20want%20to%20have%20200%20accounts%20blocked%20because%20of%20a%20automatic%20acting%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-664264%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-664264%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F352551%22%20target%3D%22_blank%22%3E%40MS_TechGuy%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20a%20look%20at%20Azure%20AD%20Identity%20Protection%3A%3C%2FP%3E%3CP%3EIs%20the%20switch%20%22Enforce%20Policy%22%20set%20to%20%22On%22%20in%20the%20blade%20User%20risk%20policy%20or%20in%20Sign-in%20risk%20policy%3F%3C%2FP%3E%3CP%3EAdditional%20there%20was%20a%20view%20in%20azure%20to%20see%20what%20rules%20are%20there%2C%20but%20unfortunately%20i%20can't%20find%20them%20right%20now%20%3AD%3C%2Fimg%3E%20(e.g.%20%22unusual%20location%20%2F%20impossible%20travel%20%2F%20...)%20I%20thought%20it%20was%20somewhere%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-664434%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%20-%20Azure%20AD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-664434%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275685%22%20target%3D%22_blank%22%3E%40PatrickF11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20currently%20when%20i%20click%20on%20this%20i%20get%20%22To%20start%20please%20download%26nbsp%3B%3CSPAN%3EAzure%20AD%20Identity%20Protection%20from%20the%20Azure%20Marketplace%22%20-%20so%20i%20think%20nothing%20is%20enabled%20from%20a%20policy%20site%2C%20right%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBut%20i%20can%20see%20many%20users%20flagged%20as%20medium%20risk%20because%20of%20traveling%20and%20accessing%20services%20from%20different%20ips.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESorry%20Screenshot%20is%20in%20german%20but%20you%20see%20at%20the%20bottom%2C%20yellow%20marked%20the%20message.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

So new to the Azure AD Identity Protection.

 

So I get the email for Azure AD Identity Protection Weekly Digest. So my user visits Canada and I get the alert and I know he is in Canada, I have confirm it with him and his Admin. Under details, do I mark Resolve or Mark as false positive.

 

I would believe it should be mark as false positive so yes the person did visit this location.

 

Please confirm if I am correct, thanks.

 

7 Replies
Highlighted
Solution

I would agree with you that this would be considered a false positive if the user did visit the country noted.  I would suggest using "Resolved" if, for example, you found that he did not visit the country so you reset the password on the account and investigated the event further.

Highlighted
Highlighted

@Jerry Gonzalez 

 

It's a little bit late, but i think this could help others:

You can read about this here:

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-close-active-risk-...

 

So, in your case (travel to canada) the best option would have been "Resolve" or "Ignore".

 

 

  • Resolve - If after investigating a risk event, you took an appropriate remediation action outside Identity Protection, and you believe that the risk event should be considered closed, mark the event as Resolved. Resolved events will set the risk event’s status to Closed and the risk event will no longer contribute to user risk.

  • Mark as false-positive - In some cases, you may investigate a risk event and discover that it was incorrectly flagged as a risky. You can help reduce the number of such occurrences by marking the risk event as False-positive. This will help the machine learning algorithms to improve the classification of similar events in the future. The status of false-positive events is to Closed and they will no longer contribute to user risk.

  • Ignore - If you have not taken any remediation action, but want the risk event to be removed from the active list, you can mark a risk event Ignore and the event status will be Closed. Ignored events do not contribute to user risk. This option should only be used under unusual circumstances.

  • Reactivate - Risk events that were manually closed (by choosing Resolve, False positive, or Ignore) can be reactivated, setting the event status back to Active. Reactivated risk events contribute to the user risk level calculation. Risk events closed through remediation (such as a secure password reset) cannot be reactivated.

 

Highlighted
Thanks for the link.
Highlighted

Short question. by default are there any User Risk oder Identity Risk Policies activated which act by default? As example block the sign in or something which creates an impact. IM asking before we add Licenses to our Contract to know if i have to configure something before. Because our Users are highly traveling around the world and i dont want to have any impact because of a false detection, dont want to have 200 accounts blocked because of a automatic acting policy.

 

Thank you very much.

Highlighted

@MS_TechGuy 

 

Have a look at Azure AD Identity Protection:

Is the switch "Enforce Policy" set to "On" in the blade User risk policy or in Sign-in risk policy?

Additional there was a view in azure to see what rules are there, but unfortunately i can't find them right now :D (e.g. "unusual location / impossible travel / ...) I thought it was somewhere in https://protection.office.com

Highlighted

@PatrickF11 

 

Hey currently when i click on this i get "To start please download Azure AD Identity Protection from the Azure Marketplace" - so i think nothing is enabled from a policy site, right?

 

But i can see many users flagged as medium risk because of traveling and accessing services from different ips.

 

Sorry Screenshot is in german but you see at the bottom, yellow marked the message.