5.3 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:

successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords

signed in to your tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)

successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions

Rationale:

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the report, perform the following steps using the Azure Portal:

Go to portal.azure.com.

Click Azure Active Directory.

Under Manage click on Security

Under Report click on Risky sign-ins

Review by Risk level (aggregate).

To get risky sign-ins event report programmatically, use following graph API:

https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTime gt < 7 days older datetime > and riskEventStatus eq 'active'

See Also

https://workbench.cisecurity.org/files/4073