Hello Anthony Mansour,
Thanks for your question.
Yes, Entra ID considers account lockout events when evaluating risky sign-ins.
For recommendations:
- Adjust risk level thresholds within Identity Protection settings to better suit you.
- You can try Sentinel for more advanced SIEM capabilities. This will help aggregate events and reduce noise. You can create analytic rules and automation to help with filtering events. https://learn.microsoft.com/en-us/azure/sentinel/overview?tabs=azure-portal
- Configure Conditional Access policies to block or restrict access based on risk levels. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
- Setup named locations to reduce false positives
See:
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola