The Risky User report is useful sure, but wouldn’t it be better if you didn’t have to remember to see if any users have been flagged as Risky? I always like it when alerts come to me rather than relying on my having to remember to go looking for them.
What gets a user flagged as Risky?
A Risky user is defined as a user whose activity does something out of the ordinary. Microsoft does not divulge the full list of activities that they track but they do provide a list of some.
- Leaked credentials
- Anonymous IP use
- Atypical travel
- Signing in from infected devices
- Signing in from IP addresses with suspicious activity
- Signing in from unfamiliar locations
How do you know that a user has been flagged as Risky?
If you are a Global Administrator, Security Administrator or Security Reader, then you will be added for email notification when a user is considered High Risk. The email address for this notification is gathered from those individuals email address listed in their Azure AD profile.
If those email addresses aren’t checked regularly, or you don’t hold one of those roles, or the flag is Medium or Low, then you have to visit the Azure AD portal and navigate to Security/Identity Protection and view the graphs on the dashboard and then click into them to view the individuals that have been flagged.
Let’s send those alerts where we need them
For my MSP we’d like these alerts to be sent into Teams channel. This is where we have all built-in alerting sent. Each of our clients has their own channel. This keeps everything sorted.
In the Notify section of the Identity Protection menu, click on Users at risk detected alerts.
Here you’ll find a list where those alerts are going today. Disable any that never look at their email. For example, the default Global Administrator and add any addresses that you want the alert sent to.
For the users that you add, there will be nothing in the Actions column. When you’re done, press the Save button at the bottom of the page.
But wait there’s one more thing!
Just above the save button you will see the option to set the level at which you want the alert notifications to be sent out. This levels represent Microsoft’s confidence that the user account might be compromised. I have set mine at Medium. Click the Save button.
Configure the Weekly Digest of Risky Users
Back in the Notify menu, choose Weekly Digest. Here you’ll find that the default users can opt to receive a weekly digest of Risky User activity. All are enabled by default. Disable any whose email is not monitored.
All we do is support IT professionals. Microsoft 365 technical assistance, Super Secret News, Security community, MSP Legislation community, EndPoint, Defender and Lighthouse community, Peer groups, Kits, papers, Business consulting and more. https://www.thirdtier.net