Skip to content

Risky Users and Sign-in Risk

Azure AD Identity Protection

Evaluate risky users and sign-in risk for your organization!

How Does Microsoft Evaluate Risk?

They evaluate signals generated by sign-in’s and user activity within Azure and Microsoft 365 tools and services.

Users

Sign-in's

Detection Methods

Real-time

Offline

Sign-in Risk

Premium Sign-in Risk Detections

Atypical travel

Detection: Offline
This risk detection type identifies sign-ins originating from geographically distant locations. In this scenario with past sign-in behavior data collect, at least one of the locations may be atypical for the user.

Malicious IP address

Detection: Offline
This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources.

New country

Detection: Offline
This detection is discovered by Microsoft Defender for Cloud Apps and considers past activity locations to determine new, infrequent locations. Anomaly detection stores information about previous locations used by users in the organization.

Anomalous Token

Detection: Offline
This detection type covers Session Tokens and Refresh Tokens indicating that there are abnormal characteristics such as an unusual lifetime or an unfamiliar location.

Suspicious inbox manipulation rules

Detection: Offline
This detection triggers alerts if an end user inbox has any messages or folders moved or deleted. This detection may indicate that an account is compromised, messages are being intentionally hidden, or the mailbox is being used to distribute spam and malware across your organization.

Activity from anonymous IP address

Detection: Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection identifies that the IP address has been identified as an anonymous proxy IP address.

Token Issuer Anomaly

Detection: Offline
This risk detection indicates the token issuer is potentially compromised. The claims match known attacker behavior or inconsistent patterns.

Password spray

Detection: Offline
Microsoft Defender for Cloud Apps discovers and detects suspicious email forwarding rules. Cyberattacks often involve an inbox rule that forwards a copy of all company emails to a hacker’s external address.

Suspicious inbox forwarding

Detection: Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.

Suspicious browser

Detection: Offline
This detection indicates suspicious, anomalous sign-in activity from different countries in the same browser.

Impossible travel

Detection: Offline
Microsoft Defender for Cloud Apps identifies and detects user activities originating from geographically distant locations within a shorter time period than the time it takes to travel from location to location. This risk may indicate that a different user is using the same account credentials.

Mass Access to Sensitive Files

Detection: Offline
Microsoft Defender for Cloud Apps looks, detects, and triggers alerts when users access multiple files from SharePoint or OneDrive. An alert is triggered only if the number of accessed files is uncommon for the user or if the files contain sensitive information.

Unfamiliar sign-in properties

Detection: Real-time
This risk detection indicates that the token issuer is potentially compromised. The claims include that the token is unusual or matches known attackers.

Sign-in Risk

Nonpremium Sign-in Risk Detections

Additional risk detected

Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Azure AD Premium P2 licenses are paramount for risk detection.

Anonymous IP address

Detection: Real-time
This risk detection type indicates when sign-ins from anonymous IP addresses are used by bad actors attempting anomalous sign-ins for malicious intent.

Admin confirmed user compromised

Detection: Offline
This detection indicates when an admin confirms a risky user has been compromised.

Azure AD threat intelligence

Detection: Offline
This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources.

User Linked Detections

Premium User Detections

Possible attempt to access Primary Refresh Token (PRT)

Detection: Offline
Microsoft Defender for Endpoint (MDE) detects tokens that enable seamless or single sign-on (SSO) across applications and devices. Usually, attackers perform credential theft or often attempt to move laterally after initial breach into a business.

Anomalous user activity

Detection: Offline
This creates normal administrative baselines for behavior and spots anomalies like changes to the Azure Active Directory. The detection is triggered when the admin changes something.

User reported suspicious activity

Detection: Offline
This risk detection happens when a multifactor authentication (MFA) prompt is denied. It may mean that the user’s identity is compromised.

User Linked Dections

Nonpremium User Risk Detections

Additional risk detected

Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Azure AD Premium P2 licenses are paramount for risk detection.

Leaked credentials

Detection: Offline
When hackers compromise valid passwords of legitimate users, they often share them on the dark web or black market. Microsoft leaked credentials checks the dark web for Azure AD credentials to find matches.

Azure AD threat intelligence

Detection: Offline
This internal and external threat detection type indicates unusual user activity consistent with known cyberattacks.

“We transform how people work.”

Twitter Facebook-f Linkedin Instagram

Company Details

  • DUNS Number: 078570307
  • CAGE Code: 6TX26
  • NAICS Codes: 541690, 541990, 541611, 54618, 611420, 541370, 541519

Contact

Codes & Certs

  • VOSB - self-certified
  • SBA 8(a) - pending

Services

  • Microsoft 365 Solutions
  • Assessments
  • Security
  • Training

PRIVACY POLICY

TERMS OF USE AND CONDITIONS

Copyright © 2023 Jadex Strategic Group | Powered by Jadex Strategic Group