Control: 5.3 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Description

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:

• successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
• signed in to your tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
• successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

Remediation

To review the report, perform the following steps using the Azure Portal:

1. Go to portal.azure.com.
2. Click Azure Active Directory.
3. Under Manage click on Security.
4. Under Report click on Risky sign-ins.
5. Review by Risk level (aggregate).

To get risky sign-ins event report programmatically, use following graph API:

https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTime gt < 7 days older datetime > and riskEventStatus eq 'active'