Anomalous Token alert of Defender

Suraj Rimal 0 Reputation points
2024-02-27T23:38:07.87+00:00

Hi all, We used to receive an Anomalous token alert on Defender, and it stopped all of a sudden. Unable to see any policy associated with it. Please help to figure it out.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2024-02-28T19:47:49.23+00:00

    @Suraj Rimal

    Thank you for your post!

    When it comes to the policies pertaining to an anomalous token, you should be able to find these within the following locations:

    1. The Policy management section in your Microsoft 365 Defender portal.
      • You can see the anomaly detection policies in the Microsoft Defender Portal, by going to Cloud Apps -> Policies -> Policy management. Then choosing the Anomaly detection policy for the policy type.
      User's image
    2. Microsoft Entra ID Protection - Risk detections in Microsoft Entra ID Protection include any identified suspicious actions related to user accounts in the directory. For more info: Sign-in risk detections.
      • You can find your MS Entra ID Protection policies from your MS Entra ID tenant -> Security -> Identity Protection.
      User's image
    3. Conditional Access Policy - Since the legacy risk policies (user risk policy or sign-in risk policy) configured in Microsoft Entra ID Protection will be retired on October 1, 2026. There's a chance your organization has already migrated to the Sign-in risk-based Conditional Access policy.
      • You can find your Conditional Access Policies within your MS Entra ID tenant -> Security -> Conditional Access.
      Screenshot of a sign-in risk-based Conditional Access policy.

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.