Yeah I got the same "surprise" earlier today... looks like a whoopsie on Microsoft side. But let's see what others say, just in case.
Riskysign-ins from weekly digest won't show up in the Entra admin center
Once in a while we get risky sign-ins reported in the Entra ID Protection weekly digest:
But in the Entra ID admin centre there is only one risky sign-in which moreover happened after I received the weekly digest. I just filtered for all risk states and sign-in types, nothing more.
Where can I find details on these 4 reported risky sign-ins?
2 answers
Sort by: Most helpful
-
-
Raja Pothuraju 12,350 Reputation points Microsoft Vendor
2025-02-03T19:14:36.6+00:00 Hello @Helge,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you received a Microsoft Entra ID Protection Weekly Digest email reporting four new risky sign-ins detected in real time. However, when reviewing the portal within the specified time frame, you did not find any corresponding risky sign-in details.
This is a known issue. The real-time data displayed in the portal is dynamically calculated, meaning the numbers in the weekly digest may not exactly match what you see in the portal at a later time. The real-time detection process analyzes signals directly from the request pipeline, while the weekly digest numbers are derived from raw signals rather than aggregated data.
Additionally, if any sign-ins were incorrectly flagged as risky (false positives), Microsoft's machine learning algorithms may have automatically remediated or dismissed them. As a result, these sign-ins would no longer appear in the portal.
That's why you'll observe such differences when compares with weekly email and Azure Portal data.
Tagging @Vasil Michev for visibility.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".