Loading controls...
Control: 5.4 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly
Description
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:
- successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
- signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
- successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions
Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.
Remediation
To review the Azure AD 'Risky sign-ins' report:
- Navigate to
Microsoft Entra admin center
https://entra.microsoft.com/. - Click to expand
Protect & secure
selectRisky activities
. - Under
Report
click onRisky sign-ins
. - Review by
Risk level (aggregate)
.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v200_5_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v200_5_4 --share
SQL
This control uses a named query:
azuread_risky_sign_ins_report