cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Users flagged for risk

Shane Toal
Copper Contributor

‎Jun 12 2017 03:51 PM

‎Jun 12 2017 03:51 PM

Users flagged for risk

I am seeing quite a few of my customers Office 365 users flagged for risk in Azure AD and recieving a notificaiton in their Office 365 portal.

 

It seems without a Azure AD premium you can't tell what type of security risk it is.

Has anyone else figured a way of deciding if these events should be dealt or not?

Or is the only option to investigate each user listed in the report and treat their account as comprimised and reset password, check mailbox etc?

 

Here is the message we recieved in our Office 365 portal:


Microsoft has detected unusual activity that may indicate unauthorized access to some of your users’ accounts. We are providing this notification so you can review and take action. This notification does not mean that Microsoft’s own systems have in any way been compromised.

Microsoft is providing you the ability to review the affected users through an online Azure Active Directory Report. 

Labels:
7,326 Views
0 Likes
3 Replies
Reply
3 Replies
Shane Toal

‎Jun 12 2017 04:13 PM

‎Jun 12 2017 04:13 PM

Re: Users flagged for risk

I have just enabled the Azure AD premium trial and looked at the users on the list most of them don't have any suspecious activity in the last month, the ones that do are all Sign-in from unfamiliar location.

 

I think for the free and basic versions of this Users flagged for risk tool, each warning should have a risk level rating, as resetting a user password just becouse they signed in from a different location is not a reason to reset their password and review their whole mailbox.

 

This makes the current information a waste of time, and will make Office 365 admins just ignore report which is not good.

1 Like
Reply
Jonathan Frericks

‎Jul 23 2017 05:32 PM

‎Jul 23 2017 05:32 PM

Re: Users flagged for risk

I agree. It feels like an upsell attempt. 

 

I got a list of 100+ at-risk users. The first one I investigated had a mere 4 connections from a single application, from a single source IP. The only thing suspicious was how infrequently the user checked their email from their phone.

 

The main problem now is that the managers are starting to panic. 

 

 

0 Likes
Reply
Daniel Westerdale

‎Jul 25 2017 01:16 AM

‎Jul 25 2017 01:16 AM

Re: Users flagged for risk

Hi

 

I have enabled AD Premium 30 day trial  on half of a client via the AD Admin Classic Portal.  I have 20 or so users flagged for risk to step through. I wondered if there isn't a bit of PowerShell to create a CSV file listing each user and risk notification. 

0 Likes
Reply