Auditing - Ensure The Azure AD 'Risky Sign-ins' Report Is Reviewed At Least Weekly

 








Summary

This report generally consists of the records of accounts that have had activity that could indicate they are compromised, like the accounts having:
  • successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords.
  • signed in to your tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
  • successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions  

Reason

By reviewing this report regularly allows identification and remediation of compromised accounts.                                                                                                                                                      

 How to?

To review the report, perform the following steps using Azure portal:
  1. Go to portal.azure.com.
  2. Click Azure Active Directory.
  3. Under Manage click on Security.
  4. Under Report click on Risky sign-ins.
  5. Review by Risk level (aggregate).

To get risky sign-ins event report programmatically, use following graph API:

https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTimegt < 7 days older datetime > and riskEventStatus eq 'active'

Monitor:

To verify that the report is being reviewed at least weekly, confirm that the necessary procedures are in place and being followed.

































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Design Planning (Part 3)