This guide will show an administrator how to confirm a system identified risky sign-in as a true positive.
Role Requirements
Procedure Scope: Administrators
Required Group Membership: Admin.Security
Handbook Reference
Package: TBD
Domain: TBD
Modifies: TBD
Risky Sign-Ins Confirm Sign-In Compromised Action
- Navigate to the Risky Sign-ins – Azure Active Directory portal, locate and select a desired risky sign-in from the list.
- From the Risky Sign-in Details flyout, select the three dots followed by selecting the Confirm sign-in compromised action. This action should be taken after investigating and confirming that the sign-in attempt was a true positive.
- A disclaimer will be displayed detailing that the user risk associated with this sign-in will be set to high and new detection criteria will be considered to optimize future risk assessments on authentication attempts. Select Yes to identify the sign-in risk as real. Remember that if a risk-based conditional access policy wasn’t triggered and the risk wasn’t self-remediated as a result, you will need to carry out additional actions such as conducting a User Block, Password Reset, Revoking Active Sessions, Resetting MFA, Reregistering MFA, etc.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.