Information
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:
Successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords.
Signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network).
Successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions.
Rationale:
Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To review the 'Risky sign-ins' report:
Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
Click expand Protection select Risky activities.
Under Report click on Risky sign-ins.
Review by Risk level (aggregate).