Risky Sign-ins in Azure Entra ID and Identity Protection

Question

Hello everyone,

I am seeking some technical advice regarding risk sign-ins in Azure Entra ID and Identity Protection. We have an Azure Entra ID setup with a P2 License, and we are experiencing an overwhelming number of high-severity alerts from Identity Protection in the defender XDR portal due to risk events.

https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks

Specifically, I have been encountering numerous high-severity alerts such as "Unfamiliar sign-in properties" and "Malicious IP address." These alerts are being generated in the thousands and are becoming difficult to manage.

Here are some details about the situation:

• Many of these alerts are for different users and originate from random IP addresses.
• The IP addresses involved are performing brute force attacks, but these attempts are unsuccessful.
• 90% of these alerts are being triggered when the user account is locked out due to the smart lockout feature being enabled for password protection (based on the 'Sign-in error code':'50053' in Risky Sign-in Details tab on the Risky sign-ins portals).

Given the volume and nature of these alerts, I need to understand the following:

1. Are account lockout events taken into consideration in the evaluation of risky sign-in events in Azure Entra ID?
2. How can I effectively address and manage these high-severity risky alerts, given that they often result from unsuccessful brute force attempts?

Any insights, best practices, or recommendations on how to handle these scenarios would be greatly appreciated.

Thank you!

Answer 1

Hello Anthony Mansour,

Thanks for your question.

Yes, Entra ID considers account lockout events when evaluating risky sign-ins.

For recommendations:

• Adjust risk level thresholds within Identity Protection settings to better suit you.
• You can try Sentinel for more advanced SIEM capabilities. This will help aggregate events and reduce noise. You can create analytic rules and automation to help with filtering events. https://learn.microsoft.com/en-us/azure/sentinel/overview?tabs=azure-portal
• Configure Conditional Access policies to block or restrict access based on risk levels. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
• Setup named locations to reduce false positives

See:

https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk?source=recommendations#risky-sign-ins

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola