AZ 500: Configure risk event detections

Peter Benjamin 21 Reputation points
2021-11-12T13:04:57.243+00:00

Hi
I have a question about the risk levels referring to Microsoft Learn (AZ-500 part-1: Manage Identity and Access / Deploy Azure AD identity protection / Configure risk event detections).

What are the official recommendations for the following risks;
Users with leaked credentials -> High
Sign-ins from anonymous IP addresses -> Medium
Impossible travel to atypical locations -> Medium
Sign-ins from infected devices -> Low / Medium ?
Sign-in from unfamiliar locations -> Medium
Sign-ins from IP addresses with suspicious activity -> Medium / Low ?

Especially on the points: "Sign-ins from infected devices" and "Sign-ins from IP addresses with suspicious activity", I have seen disagreement in forums as well.
What are the official level recommendations from Microsoft?

Thanks for your effort in advance.

Kind regards

beni

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,329 questions
0 comments
Accepted answer
  1. Andy David - MVP 140.8K Reputation points MVP
    2021-11-12T13:29:16.52+00:00

    Well, thats the thing, they are calculated by Microsoft either in real time or offline and then you have CA policies that block based on that risk level. If you choose to block high risk, sign-ins require MFA for medium etc... . So there isnt a standard list of this will be high , this will be medium...

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2021-11-12T13:55:38.197+00:00

    Hi @Peter Benjamin • Thank you for reaching out.

    I had the same question couple of months back as the books still have this information but this information is removed from the official documentation and Azure Portal.

    Here is the official Microsoft statement regarding the risk levels for various risk detections:

    Microsoft doesn't provide specific details about how risk is calculated, we'll say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.

    This is documented here: Risk levels

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments
  2. Andy David - MVP 140.8K Reputation points MVP
    2021-11-12T13:17:53.987+00:00

    Not sure what the question is. Microsoft assigns the risk, you don't.