Weekly digest says new risky sign-ins detected, but nothing in risky sign-ins report

Richard Bowmaker 51

I received the usual Azure AD Identity Protection Weekly Digest email today, but this time it said that 7 new risky sign-ins were detected:

If I click on the link, it takes me to the "Risky sign-ins" report in the Azure portal, set up to show all risky sign-ins in the last 7 days. But this shows "No sign-ins found":

Expanding the report to the last month doesn't show anything either. There's also nothing in the "Risk Detections" report.

So: Were there risky sign-ins or not? If there were, how can I see what the issue was?

Thanks!

VipulSparsh-MSFT 16,246 Reputation points Microsoft Employee

2021-05-19T07:06:54.067+00:00

@Richard Bowmaker Thanks for reaching out. Allow me sometime to investigate this. Will update soon.
Ben Kerssens 15 Reputation points

2023-11-21T08:12:25.19+00:00

@VipulSparsh-MSFT It has been 2 and half years. Any updates?

5 answers

VipulSparsh-MSFT 16,246 Reputation points Microsoft Employee

2021-05-19T09:38:36.347+00:00
@Richard Bowmaker

Can you try following :

Clear the risk state filter and check the risk detection blade.

If the above does not show any events, open a support ticket to investigate if those sign ins were dismissed by someone else or it might be a false positive.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Christian Uden 0 Reputation points

2023-10-24T08:33:51.34+00:00

I have the same problem. Is there already a solution to this?
Please sign in to rate this answer.
Matt Wilson 25 Reputation points

2023-10-03T11:24:31.4366667+00:00

In the process of submitting a support ticket for this very issue, their wizard automatically surfaced this community post as a potential answer to my problem where I see here the MS rep recommending we file a support ticket if clearing the state doesn't fix the issue. So... here I go with an attempt to proceed with the ticket!

Matt Wilson 25 Reputation points

2023-10-03T11:25:59.3+00:00

As of Oct 24, 2023, I am in the middle of an active open case with Microsoft support. At first, it seemed like they wanted $29 or something like that for the ticket which I balked at... but later I found a support link somewhere near the Entra ID area that let me submit a case for free, so that's where I am. My rep seems knowledgeable and helpful. I've been delayed for a few days, but will try to update him with requested information in the next couple days. I'll keep you posted! --Matt

Matt Wilson 25 Reputation points

2023-10-24T10:56:11.81+00:00

Coverted an "answer" from Oct 3 to a "comment" here. Unsure if it notified you of that, so adding this additional comment to be sure you/others read my prior comments that will now be attached to your "answer" (which technically should have been a "comment" to the OP). This forum isn't intuitive. LOL. --Matt

UT3 CTF 6 Reputation points

2023-10-26T17:36:05.1933333+00:00

I'm having the same issue. I get an email notification with 5 risky sign-ins, but when I open Entra ID with Risky Sign-Ins - the list is empty. It used to show risky sign ins and I was able to confirm sign-ins safe or compromised.

Matt Wilson 25 Reputation points

2023-10-27T19:54:02.1233333+00:00

They finally confirmed with me yesterday that they are aware this is affecting multiple tenants. They asked me to connect to Microsoft Graph via PowerShell and run Get-MgRiskyUser and send them a screenshot. None of the output of the command gave me any clue as to how that info will help--it only confirmed the absence of any actual alarm. Curious: I've recently connected my tenant to Huntress MDR for 365 as well as a separate service that does something similar. By chance have you done the same with your tenant?

Richard Bowmaker 51 Reputation points

2023-10-29T20:59:06.03+00:00

Hi Matt, thanks for the update. No, we are not using Huntress MDR or anything similar.

John McCann 0 Reputation points

2023-11-14T17:57:28.5333333+00:00

Hi guys, where you able to get anywhere with this? I am having the same issue.

UT3 CTF 6 Reputation points

2023-11-14T18:19:34.4166667+00:00

I would need to receive another notification in order to check whether it keeps showing the empty list or not.

Matt Wilson 25 Reputation points

2023-11-14T18:37:21.5733333+00:00

I still have the issue and am still working with Microsoft on it. The latest update is that yesterday, Monday, Nov 13, they requested me to upload a copy of "all the sign-in risk alerts' e-mails that you received between Oct 28th and Nov 4th". Unsure what's really going on internally, but I do believe this is at a high-level - not stuck at Tier 1. Can't guarantee, that, though. All I know is my rep seems knowledgable and tells me every so often he's waiting on his "backend team" to update him.

John McCann 0 Reputation points

2023-11-14T19:12:44.95+00:00

Thanks guys, I really appreciate the quick response. I think I'll open a ticket too. I'll keep you guys posted if I get anywhere with it. It's odd, the notifications show up in the Identity Protection overview with no details about the users. Nothing in the audit logs or sign in logs. 🤷‍♂️

UT3 CTF 6 Reputation points

2023-11-14T19:18:53.54+00:00

It takes time to see my own reply on the website.

UT3 CTF 6 Reputation points

2023-11-14T19:20:01.7433333+00:00

It would be great if Microsoft fixes it for all accounts, not only for those who opened a ticket ;-)

John McCann 0 Reputation points

2023-11-14T20:41:19.26+00:00

🤣 Absolutely!

Ben Kerssens 15 Reputation points

2023-11-21T08:10:35.9+00:00

Any updates?

I'm having the same issue. Got a mail today with 6 risky realtime signins, but when I go to the link there are 0.

Matt Wilson 25 Reputation points

2023-11-21T20:32:16.1166667+00:00

The latest update is Microsoft support asked me for the most recent e-mails (in .msg format) for a specific time range. I gave them all the ones I've received since this started a few months ago. No reply yet, unfortunately. --Matt

UT3 CTF 6 Reputation points

2023-11-21T20:40:19.8566667+00:00

The latest update is Microsoft support asked me for the most recent e-mails (in .msg format) for a specific time range. I gave them all the ones I've received since this started a few months ago. No reply yet, unfortunately. --Matt

Did they close the ticket as resolved? Can you escalate if they didn't close it?

Matt Wilson 25 Reputation points

2023-11-21T20:50:36.2566667+00:00

It’s still open. Just waiting for them to reply. It’s at the dev level, and I’m not too bothered by it at the moment, so I don’t plan to request any elevation at the moment. For those new to this thread note that MS is aware of this issue as affecting more than just me. My rep seems good. Just doesn’t seem like an easy fix since it’s likely systemic if it’s affecting multiple tenants. They likely have a process they have to follow to get things like this patched… especially when it’s not urgent. Hope this helps!

UT3 CTF 6 Reputation points

2023-11-21T21:00:36.4033333+00:00

Thanks for update, Matt. In this case we'll just wait.

I wouldn't worry if those email notifications were false positive and in reality, there are no risks as shown in Azure Risky Users tab, but if it is wise versa, and I'm getting the real status in e-mails, but the Azure doesn't show anything - now that's a big problem.

Matt Wilson 25 Reputation points

2023-11-21T21:39:32.97+00:00

100% agree. That was my original concern, too. I'll be highly agitated if something like that turns out to be the case, but at this moment I have no indication (other than the crazy e-mail alerts) to make me believe there is any real threat. I'll keep you posted!

Ben Kerssens 15 Reputation points

2023-11-22T08:03:19.5033333+00:00

Thanks for the updates! I guess we'll just have to wait.

Matt Wilson 25 Reputation points

2023-12-01T19:00:12.3366667+00:00

FYI, Latest update from my rep:

I'm going to have a meeting with the backend team this Wednesday, right at the beginning of my shift, in regards to your case. I will send you an update as soon as I have a position. For the other users facing a similar issue, I would say that the best approach would be to ask them to raise support tickets as well, so the analytics team can be aware of the urgency of this issue based on the volume of related cases. I'm really sorry about the time that is taking with this, but rest assured that I'm doing my best within my abilities for a faster resolution.

Note that he later asked for the URL to this thread, so we'll see if he decided to join in on the fun here! LOL. Cheers! --Matt

Tom Cook 0 Reputation points

2024-02-13T16:35:17.5+00:00

Also having this issue. I dinked around with the filters and found that filtering to show Risk Level (real-time) non-blank values gets the count of records to match the digest email. Sample size of 1 here, though, so not sure it is actually a meaningful correspondence.

Matt Wilson 25 Reputation points

2024-02-27T12:21:24.68+00:00

Hey there, I just posted an official response from Microsoft I received back in December as a new answer. Feel free to go check it out. TY! --Matt
Sign in to comment
Externe Emmanuel TRICHET 0 Reputation points

2024-02-20T08:02:14.76+00:00

Hello
i have this issue for 1 month now.
do you have any solution for that.
Thx
Please sign in to rate this answer.
Matt Wilson 25 Reputation points

2024-02-27T12:17:53.2766667+00:00

Hey there, I just posted an official response from Microsoft I received back in December as a new answer. Feel free to go check it out. TY! --Matt
Sign in to comment
craigfrayne 0 Reputation points

2024-02-27T08:48:54.7566667+00:00

Also seeing this same issue.
Please sign in to rate this answer.
Matt Wilson 25 Reputation points

2024-02-27T12:18:03.4633333+00:00

Hey there, I just posted an official response from Microsoft I received back in December as a new answer. Feel free to go check it out. TY! --Matt
Sign in to comment
Matt Wilson 25 Reputation points

2024-02-27T12:17:04.1366667+00:00

I have really bad news, everyone... I'm sorry for the delay in getting back to you all, but I finally got an OFFICIAL response from Microsoft. It pissed me off pretty bad, which led me to "give up" on this issue, but that's no excuse for taking this long to share the OFFICIAL (all caps out of frustration) response from Microsoft.

Below are two different e-mails from MS. My response to this was: "Oh no… So after being falsely notified of a potential threat once or twice a week, I’m going to become numb to thinking they’re noise… and then a real attack will happen one day and I won’t know about it because of all the false alarms Microsoft sent, subconsciously training me to ignore security. I cannot fathom how Microsoft would consider this “by design”." They never replied back after that, and nor did I expect them to. --Matt

---> Dec 14, 2023:

Subject: RE: [EXTERNAL] RE: 9 Risky Sign-Ins in Alert, b... - TrackingID#2310190040015423

Hi Matt,

I called you and left a VM. Thank you very much for your patience during the course of this ticket.

I've got a position from the backend team in regards of your case. Those weekly digest (real-time) entries that you're receiving can be safely ignored, as they're false positives being automatically mitigated by the Azure AI.

By system design, they will be listed in the weekly digest, but the risky detections that will need your attention will be shown in your Azure Portal's Security page.

If you feel that this feature or service may be misleading and would like to make a suggestion for improvements, I invite you to post your suggestion directly in the official Azure feedback page, where (sometimes) the Microsoft Engineers responsible for deploying those technologies can directly reply to those suggestions:

Ideas · Community (azure.com)

If you have any further questions, let me know and I will be happy to assist you. Looking forward for your reply,

Thanks, Rondinelli Microsoft 365 Azure Support Ambassador

---> Dec 18, 2023:> > Hello Matt, > > This is Rohit from Microsoft Azure Support. I'll be handling your support request as Rondinelli is out of office.> > As Rondinelli mentioned, the weekly digest (real-time) entries that you're receiving can be safely ignored, as they're false positives. As this is by design you can disable the weekly digest emails and still receive user risk alerts emails. > > When there would be an actual risk, you would receive an email informing that there are users at risk similar to the one below.> >

If you feel that this feature or service may be misleading and would like to make a suggestion for improvements, please post your suggestion directly in the official Azure feedback page, where (sometimes) the Microsoft Engineers responsible for deploying those technologies can directly reply to those suggestions:

https://feedback.azure.com/d365community

If you have any further questions, let me know and I will be happy to assist you.> Waiting for your response, > Thank you, > > Rohit > Microsoft Azure Support Engineer
Please sign in to rate this answer.
Jim Strowe 0 Reputation points

2024-05-14T12:36:38.2633333+00:00

Now that is a helpful response. Useless of course from the MS standpoint of deliberately allowing false positives for dozens if not hundreds of thousands of tenants.

BUT at least it's an answer. I just wish I knew why it's only been for the past month. My logs are clean so this seems likely that it is the false positive cited. This is really really frustrating.
Sign in to comment

Share via

Weekly digest says new risky sign-ins detected, but nothing in risky sign-ins report

5 answers