Microsoft Now Lets IT Admins Enable Suspicious Activities Reporting in Azure AD

Cloud Computing

Microsoft has introduced a new Report Suspicious Activity feature in Azure Active Directory (recently renamed Microsoft Entra ID). Suspicious activity reports provide detailed information about unusual sign-in attempts to help organizations detect and respond to potential security threats.

According to Microsoft, the new feature enables users to report suspicious activities for unknown authentication requests. Users can report the fraudulent attempt via the Microsoft Authenticator app or their phone call. IT Admins can then review the activity logs to investigate and take necessary action to protect their data and resources.

“Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the Fraud Alert automatic blocking feature and don’t have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in,” Microsoft explained.

Microsoft Now Lets IT Admins Enable Suspicious Activities Reporting in Azure AD
Source: Microsoft

How to enable the Report suspicious activity feature in Azure AD

To enable the Report Suspicious Activity feature, administrators will need to follow the steps mentioned below:

  • Sign in to the Azure portal and select Azure Active Directory >> Security >> Authentication Methods >> Settings.
  • Enable the Report Suspicious Activity option.
  • Select if the new setting applies to all end users or a specific group.

Once enabled, IT admins will be able to view the risk detection report by heading to Azure Active Directory >> Security >> Identity Protection >> Risk detection. The risk event will appear as detection type “User Reported Suspicious Activity,” with risk level High and source End user reported.

Earlier this month, Microsoft warned about a new consent-based phishing campaign that tricks users into authorizing permissions for malicious OAuth apps. The Report Suspicious Activity feature should make it easier for IT admins to proactively identify and mitigate security risks in their organizations. This capability is currently available in preview, and it’s unclear when it becomes generally available for all enterprise customers.