Home

Users flagged for risk

%3CLINGO-SUB%20id%3D%22lingo-sub-77222%22%20slang%3D%22en-US%22%3EUsers%20flagged%20for%20risk%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77222%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20seeing%20quite%20a%20few%20of%20my%20customers%20Office%20365%20users%20flagged%20for%20risk%20in%20Azure%20AD%20and%26nbsp%3Brecieving%20a%20notificaiton%20in%20their%20Office%20365%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20without%20a%26nbsp%3BAzure%20AD%20premium%20you%20can't%20tell%20what%20type%20of%20security%20risk%20it%20is.%3C%2FP%3E%3CP%3EHas%20anyone%20else%20figured%20a%20way%20of%20deciding%20if%20these%20events%20should%20be%20dealt%20or%20not%3F%3C%2FP%3E%3CP%3EOr%20is%20the%20only%20option%20to%20investigate%20each%20user%20listed%20in%20the%20report%20and%20treat%20their%20account%20as%20comprimised%20and%20reset%20password%2C%20check%20mailbox%20etc%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20message%20we%20recieved%20in%20our%20Office%20365%20portal%3A%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EMicrosoft%20has%20detected%20unusual%20activity%20that%20may%20indicate%20unauthorized%20access%20to%20some%20of%20your%20users%E2%80%99%20accounts.%20We%20are%20providing%20this%20notification%20so%20you%20can%20review%20and%20take%20action.%20This%20notification%20does%20not%20mean%20that%20Microsoft%E2%80%99s%20own%20systems%20have%20in%20any%20way%20been%20compromised.%3C%2FP%3E%3CP%3EMicrosoft%20is%20providing%20you%20the%20ability%20to%20review%20the%20affected%20users%20through%20an%20online%20Azure%20Active%20Directory%20Report.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-77222%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89830%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89830%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20enabled%20AD%20Premium%2030%20day%20trial%20%26nbsp%3Bon%20half%20of%20a%20client%20via%20the%20AD%20Admin%20Classic%20Portal.%20%26nbsp%3BI%20have%2020%20or%20so%20users%20flagged%20for%20risk%20to%20step%20through.%20I%20wondered%20if%20there%20isn't%20a%20bit%20of%20PowerShell%20to%20create%20a%20CSV%20file%20listing%20each%20user%20and%20risk%20notification.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89453%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89453%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree.%20It%20feels%20like%20an%20upsell%20attempt.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20a%20list%26nbsp%3Bof%20100%2B%20at-risk%20users.%20The%20first%20one%20I%20investigated%20had%20a%20mere%204%20connections%20from%20a%20single%20application%2C%20from%20a%20single%20source%20IP.%20The%20only%20thing%20suspicious%20was%26nbsp%3B%3CEM%3Ehow%20infrequently%20the%20user%20checked%20their%20email%20from%20their%20phone%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20main%20problem%20now%20is%20that%20the%20managers%20are%20starting%20to%20panic.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77228%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20flagged%20for%20risk%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77228%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20just%20enabled%20the%20Azure%20AD%20premium%20trial%20and%20looked%20at%20the%20users%20on%20the%20list%26nbsp%3Bmost%20of%20them%20don't%20have%20any%20suspecious%20activity%20in%20the%20last%20month%2C%20the%20ones%20that%20do%20are%20all%26nbsp%3B%3CSPAN%3ESign-in%20from%20unfamiliar%20location.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20think%20for%20the%20free%20and%20basic%20versions%20of%20this%20Users%20flagged%20for%20risk%20tool%2C%20each%20warning%20should%20have%20a%20risk%20level%20rating%2C%20as%20resetting%20a%20user%20password%20just%20becouse%20they%20signed%20in%20from%20a%20different%20location%20is%20not%20a%20reason%20to%20reset%20their%20password%20and%20review%20their%20whole%20mailbox.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20makes%20the%20current%20information%20a%20waste%20of%20time%2C%20and%20will%20make%20Office%20365%20admins%20just%20ignore%20report%20which%20is%20not%20good.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Shane Toal
New Contributor

I am seeing quite a few of my customers Office 365 users flagged for risk in Azure AD and recieving a notificaiton in their Office 365 portal.

 

It seems without a Azure AD premium you can't tell what type of security risk it is.

Has anyone else figured a way of deciding if these events should be dealt or not?

Or is the only option to investigate each user listed in the report and treat their account as comprimised and reset password, check mailbox etc?

 

Here is the message we recieved in our Office 365 portal:


Microsoft has detected unusual activity that may indicate unauthorized access to some of your users’ accounts. We are providing this notification so you can review and take action. This notification does not mean that Microsoft’s own systems have in any way been compromised.

Microsoft is providing you the ability to review the affected users through an online Azure Active Directory Report. 

3 Replies

I have just enabled the Azure AD premium trial and looked at the users on the list most of them don't have any suspecious activity in the last month, the ones that do are all Sign-in from unfamiliar location.

 

I think for the free and basic versions of this Users flagged for risk tool, each warning should have a risk level rating, as resetting a user password just becouse they signed in from a different location is not a reason to reset their password and review their whole mailbox.

 

This makes the current information a waste of time, and will make Office 365 admins just ignore report which is not good.

I agree. It feels like an upsell attempt. 

 

I got a list of 100+ at-risk users. The first one I investigated had a mere 4 connections from a single application, from a single source IP. The only thing suspicious was how infrequently the user checked their email from their phone.

 

The main problem now is that the managers are starting to panic. 

 

 

Hi

 

I have enabled AD Premium 30 day trial  on half of a client via the AD Admin Classic Portal.  I have 20 or so users flagged for risk to step through. I wondered if there isn't a bit of PowerShell to create a CSV file listing each user and risk notification.