Risky Users and Sign-in Risk
Entra Identity Protection
Microsoft Entra ID Protection uses advanced machine learning to identify sign-in risks and unusual user behavior, blocking, challenging, limiting, or allowing access. It helps organizations remediate risky users swiftly by enabling automated risk-based policies. Whether it’s an anomalous token or other suspicious activity, Entra ensures robust security.
How Does Microsoft Evaluate Risk?
They evaluate signals generated by sign-in’s and user activity within Entra and Microsoft 365 tools and services.
Users
Sign-in's
Detection Methods
Real-time
Offline
How Licensing Affects Your Logs
Microsoft Entra ID Premium Licensing and Logs
Microsoft Entra ID is a cloud-based identity and access management service that helps you secure your organization’s data and resources. It offers different licensing options depending on your needs and budget. Here are some ways that licensing affects your logs:
- With a license, you can access more detailed and granular logs of user activities, sign-ins, audit events, and anomalous tokens.
- With a license, you can retain your logs for longer periods of time, up to one year, and export them to external storage or analytics tools.
- With a license, you can enable advanced features such as identity protection, conditional access, and privileged identity management, which generate additional logs and alerts.
Without a license, you have limited access to your logs and you may miss important insights and security incidents. For example, you may see Anomalous Token instead of an unfamiliar, risky sign-in location. Licensing is essential for effective identity and access management with Microsoft Entra ID.
Act Now: Mitigate Sign-In Risks
Don’t let sign-in risks compromise your Microsoft 365 account. Discover proactive solutions to identify and mitigate risky user behavior and ensure seamless, secure access to your services. Reach out to our security specialists today!
Sign-in Risk
Premium Sign-in Risk Detections
Atypical travel
Detection: Offline
This risk detection type identifies sign-ins originating from geographically distant locations. In this scenario with past sign-in behavior data collect, at least one of the locations may be atypical for the user.
Malicious IP address
Detection:
Offline
This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources.
New country
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps and considers past activity locations to determine new, infrequent locations. Anomaly detection stores information about previous locations used by users in the organization.
Anomalous Token
Detection:
Offline
This detection type covers Session Tokens and Refresh Tokens indicating that there are abnormal characteristics such as an unusual lifetime or an unfamiliar location.
Suspicious inbox manipulation rules
Detection:
Offline
This detection triggers alerts if an end user inbox has any messages or folders moved or deleted. This detection may indicate that an account is compromised, messages are being intentionally hidden, or the mailbox is being used to distribute spam and malware across your organization.
Activity from anonymous IP address
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection identifies that the IP address has been identified as an anonymous proxy IP address.
Token Issuer Anomaly
Detection:
Offline
This risk detection indicates the token issuer is potentially compromised. The claims match known attacker behavior or inconsistent patterns.
Password spray
Detection:
Offline
Microsoft Defender for Cloud Apps discovers and detects suspicious email forwarding rules. Cyberattacks often involve an inbox rule that forwards a copy of all company emails to a hacker’s external address.
Suspicious inbox forwarding
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Suspicious browser
Detection:
Offline
This detection indicates suspicious, anomalous sign-in activity from different countries in the same browser.
Impossible travel
Detection:
Offline
Microsoft Defender for Cloud Apps identifies and detects user activities originating from geographically distant locations within a shorter time period than the time it takes to travel from location to location. This risk may indicate that a different user is using the same account credentials.
Mass Access to Sensitive Files
Detection:
Offline
Microsoft Defender for Cloud Apps looks, detects, and triggers alerts when users access multiple files from SharePoint or OneDrive. An alert is triggered only if the number of accessed files is uncommon for the user or if the files contain sensitive information.
Unfamiliar sign-in properties
Detection:
Real-time
This risk detection indicates that the token issuer is potentially compromised. The claims include that the token is unusual or matches known attackers.
Sign-in Risk
Nonpremium Sign-in Risk Detections
Additional risk detected
Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Entra ID Premium P2 licenses are paramount for risk detection.
Anonymous IP address
Detection: Real-time
This risk detection type indicates when sign-ins from anonymous IP addresses are used by bad actors attempting anomalous sign-ins for malicious intent.
Admin confirmed user compromised
Detection:
Offline
This detection indicates when an admin confirms a risky user has been compromised.
Azure AD threat intelligence
Detection:
Offline
This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources.
User Linked Detections
Premium User Detections
Possible attempt to access Primary Refresh Token (PRT)
Detection: Offline
Microsoft Defender for Endpoint (MDE) detects tokens that enable seamless or single sign-on (SSO) across applications and devices. Usually, attackers perform credential theft or often attempt to move laterally after initial breach into a business.
Anomalous user activity
Detection:
Offline
This creates normal administrative baselines for behavior and spots anomalies like changes to the Entra ID. The detection is triggered when the admin changes something.
User reported suspicious activity
Detection:
Offline
This risk detection happens when a multifactor authentication (MFA) prompt is denied. It may mean that the user’s identity is compromised.
User Linked Detections
Nonpremium User Risk Detections
Additional risk detected
Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Entra ID Premium P2 licenses are paramount for risk detection.
Leaked credentials
Detection:
Offline
When hackers compromise valid passwords of legitimate users, they often share them on the dark web or black market. Microsoft leaked credentials checks the dark web for Entra ID credentials to find matches.
Microsoft Entra Threat Intelligence
Detection:
Offline
This internal and external threat detection type indicates unusual user activity consistent with known cyberattacks.
Company Details
- DUNS Number: 078570307
- CAGE Code: 6TX26
- NAICS Codes: 541690, 541990, 541611, 54618, 611420, 541370, 541519
Contact
- HQS - Spring Lake, MI
- Phone: 1 (833) 568-3925
- Email: info@jadexstrategic.com
Codes & Certs
- VOSB - self-certified
- SBA 8(a) - pending