Share via

how to identify the admin that dismiss the user risk in Identity Protection?

Vasco Ezequiel Pedrosa 6 Reputation points
2024-03-05T12:16:29.5466667+00:00

I need to be able to verify who is acting upon notification on the Identity Protection Azure service.
I'm not able to find the logs to identify the Admin that "Dismiss user(s) Risk" for "Risky Users", nor that "Confirm sign-in(s) safe" for "Risky sign-ins".

All the logs that I was able to find, have the events, but I was not able to read the user name of the person that changed the state of the event.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
623 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Martin Ilesanmi 5 Reputation points
    2024-05-02T18:08:14.13+00:00

    hello @Vasco Ezequiel Pedrosa ,

    Trust your day is going on well.

    if you're unable to find the specific logs showing the user names of those modifying these states, you may need to adjust your audit log settings.

    Consider to check the setting as stated below;

    1. Go to the Azure portal (https://portal.azure.com/) and sign in with your administrator credentials.
    2. From the Azure home page, locate and click on "Azure Active Directory" from the left-hand side menu.
    3. Within Azure Active Directory, under the Monitoring section, select "Audit logs." This will display the audit logs for your Azure AD tenant.
    4. Click on "Export settings" to configure what data you want to export to Azure Monitor logs or an Event Hub. Ensure that you're capturing the necessary information, such as user names, for the relevant activities (like dismissing user risks or confirming sign-ins as safe).
    5. Once the audit log settings are configured, you can review the logs to see the actions taken by administrators, including those related to user risk and sign-ins.
    6. If you require more detailed auditing, consider enabling Advanced Audit, which provides additional visibility into changes made within Azure AD.
    7. Use Azure Monitor logs or other monitoring tools to analyze the exported audit logs. You can search for specific activities, filter by user names, and track changes over time.

    By adjusting the audit log settings in Azure Active Directory and ensuring that the necessary information is captured, you'll be able to verify and read the user names of administrators performing actions related to user risks and sign-ins.