locked
Does the Risky Sign-ins report include failed attempts or only successful logins that are suspected as malicious? RRS feed

  • Question

  • We always have a number of people listed in the Risky Sign-ins report in Azure AD. If I see someone with higher security listed I make them change their password. However when I try to find any associated logs in our on premise devices I never seem to find correlation. This makes me think that even failed attempts on an account are being reported as a risky sign-in and the account is not actually compromised. Is this a correct assumption or should I be making everyone change their passwords if they show up on the report?


    • Edited by CSCTool Wednesday, September 26, 2018 5:43 PM
    Wednesday, September 26, 2018 5:41 PM

Answers

  • A risky sign indicates that a failed sign-in attempt is identified as Risky sign-ins and based on the risk events that have been detected during sign-in Azure AD calculates a value ( a probability of Low, Medium or High) that the sign-in is not performed by the legitimate user.  The details of risky sign-ins reports varies between different editions where Premium 1 and 2 provides more information (refer to link) for more details.  You can decide based on the risk levels and detailed report if you want to ask the user to change the password.
    • Marked as answer by CSCTool Friday, September 28, 2018 1:59 PM
    Wednesday, September 26, 2018 8:59 PM

All replies

  • Basically, sign in reports from azure active directory based on risky-sign ins. When the sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account or user account that might have been compromised. See this and get clarified about sign-in activity reports.

    https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

    • Proposed as answer by samyyysam Wednesday, September 26, 2018 8:53 PM
    Wednesday, September 26, 2018 8:53 PM
  • A risky sign indicates that a failed sign-in attempt is identified as Risky sign-ins and based on the risk events that have been detected during sign-in Azure AD calculates a value ( a probability of Low, Medium or High) that the sign-in is not performed by the legitimate user.  The details of risky sign-ins reports varies between different editions where Premium 1 and 2 provides more information (refer to link) for more details.  You can decide based on the risk levels and detailed report if you want to ask the user to change the password.
    • Marked as answer by CSCTool Friday, September 28, 2018 1:59 PM
    Wednesday, September 26, 2018 8:59 PM