This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 6%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
according to this article:
when a user reports a fraudulent MFA (i.e. pressing 0# on the phone) the user is supposed to be made "high risk" and IT people should be able to see this report in:
Sign in logs
Audit logs
Risk Detection report
i have tested this and the only thing that happens is i see a "failure" in the users sign in logs. none of the other things happen and the user is not marked as "high risk" i do have it enabled:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 17%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Hello Michael Menzie,
As per description, we understand that user is not marked with "high risk" even the user reports a fraudulent MFA by pressing 0# on phone call while performing MFA
Please confirm if you are using Passwordless sign-in.
Once you receive the phone call you are pressing 0# to mark it as fraud and after that is it asking for confirmation? (usually like press 1 to confirm)
And also confirm if the user is blocked after the sign-in attempt? Please let us know if you are using office phone
Hello Michael Menzie,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
@Venkata Jagadeep no i am not using passwordless sign in and no the user is not automatically blocked
Hello Michael Menzie,
Thanks for providing your inputs.
I request you to consider the below scenario.
You have configured MFA with phone call and you are signing in to portal from your office location regularly.
Testing Scenario 1 :
When you are signing to portal from your office location and while doing MFA you press 0# on phone call (denying you didn't attempt that particular sign-in), your sign-in gets failed.
Note: Here you are expecting in sign-in logs as failure and suspicious activity in Identity Protection and it was not happening.
Testing Scenario 2 :
When you sign-in from a different location (outside your office) and you press 0# on your phone while doing MFA and it gets failed.
Note : Here you are doing the same thing, the only difference is the location.
As per our conversation, you tested the Scenario 1 where your malicious activity logs are not recorded as risky in Identity Protection.
I request you to test the scenario 2 (from a new location where you usually not sign-in) and check if the logs are ingesting to Identity Protection as risky and let us know if it is identified as risky sign-in attempt.
i actually did number 2 as well from my phone off the corporate network and not on a VPN or WiFi and the user was marked as "high" risk this time but the user is still not blocked from signing in nor is there an error related to it in the Audit log
Hello Michael Menzie,
Microsoft Entra ID Protection determines the likelihood that a sign-in request is unauthorized for each login attempt.
To test risky sign-in a simulation with an anonymous IP address can be easily and quickly performed using the Tor Browser.
Start the Tor Browser and navigate to https://aka.ms/myapps
Sign in with your account and the sign-in will appear in the Risk Detection report after approximately 15 minutes
The below document shows the types of risk detections in Entra-ID Identity Protection.
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
The reason why your sign-in attempt from phone is not showing as risky sign-in is that you use your phone to sign-in regularly, Microsoft Algorithms will identify those sign-ins as legitimate sign-ins.
When you try from a device which you didn't sign-in regularly from un-known ip address (external and also not from your home) it might show as risky sing-in attempt.
Hello Michael Menzie,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Hello Michael Menzie,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know