Forum Discussion
Report suspicious activity (Preview)
Allows users to report suspicious activities if they receive an authentication request that they did not initiate. This control is available when using the Microsoft Authenticator app and voice calls. Reporting suspicious activity will set the user's risk to high. If the user is subject to risk-based Conditional Access policies, they may be blocked.
eliekarkafy We recently saw a Message Center notification informing us that MFA Fraud Alert would be replaced by the new Report Suspicious Activity settings (as shown in your screenshot) in March 2025.
One concern we have about this change is that the new Report Suspicious Activity settings will automatically set the user's risk to high when they report the activity. The new settings do not allow an organization to choose whether the user's risk is updated to high or remains unchanged.
Due to the high number of accidental and false positive reports, we do not currently automatically block users who report fraud or require them to change their passwords based upon a fraud/suspicious activity submission. We do this only after our internal security team has investigated the report and confirmed the situation with the user.
My request is that Microsoft consider adding an opt-in/out option for automatically assigning high risk to users who reports suspicious activity. If we are unable to opt-out of automatically setting a user's risk to high upon reporting suspicious activity, then we have to consider disabling the new settings when they replace the MFA Fraud Alert settings in March avoid additional password resets due to a user's accidental or uninformed suspicious activity submission.
- Hi , While the configuration piece is clear, the reporting side is unclear . how will the users be able to notify through authenticator app or voice call ? is there any specific version of authenticator app that has this settings available to view ? I am currently on authenticator app version 6.7.5 which is updated 3 weeks back. Havent seen any such options on the app .
- When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using Microsoft Authenticator or through their phone
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#report-suspicious-activity
- Hi, In addition to this, Microsoft recently announced the new enhancements on reporting suspicious emails. Now, users can report phish or junk emails from any mailbox, irrespective of their type. It's a great news for security admins and cybersecurity experts to improve security in M365 environments. Know more about the new enhancements and how it will be useful in the below blog.
https://blog.admindroid.com/reporting-suspicious-messages-in-m365-shared-and-delegated-mailboxes/ eliekarkafy Please can you confirm what Reporting Code refers to? It's not mentioned on the guidance article.
Anthony Cotton Hi, there is no explanation till now for the reporting code usage in any MS documentation. I used to change the reporting code during my initial testing for that feature and couldn't notice any changes on the level of the user experience or in the user detection logs on Azure.
it might be a parameter for the feature, or it might be something for future use.
- Can anyone please share a screenshot of what the users see when they can report suspicious activity?
