Azure- User at risk detected

Question

Hi,

I got an email today saying a user is at risk.

When i clicked on the user it showed it was accesed in Virginia,USA. Our organization is located in NewZealand.

I searched for the Ip address and it said it belongs to amazon.com.

I'm guessing its related to AWS.

Has anyone else faced this problem? how do we deal with this risk?

Any help is much appreciated.

Thanks,

Sravan

Answer 1

This is a common alert when using Identity Protection:

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#user-linked-detections

Typically for a high user risk, you would have a Conditional Access Policy that forces a password change:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user

More info:

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies#user-risk-policy

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-user-experience