asked on What is this Identity Protection | Ricky users in Azure?
We are using MS Azure. In this cloud, we have the AAD Connect on OnPrem DC to sync to Azure AD for all the domain user accounts. Recently, a user feedback that he has this notification as attached Azure - Ricky Users.docx
What is this Identity Protection | Risky Users? What can we do with it? any follow-up actions needed by the user?
Thanks,
AzureCloud Computing
Last Comment
SooHow Cheng
Your attached document is "locked", so no way to read it.
1) What is this Identity Protection | Risky Users?
Whatever you determine as your policy.
2) What can we do with it?
For me, I have many rules.
1x example, anyone with a failed ssh/wordpress/other login with 5x user or password failures from the same 1x IP, over any 24x period, that IP is blocked for 1x hour.
3) any follow-up actions needed by the user?
Er... who cares... if the user is "risky", they're almost surely a hacker.
Normal users rarely exhibit "risky" behavior.
If they do, after they're blocked for a few hours, they generally open an issue ticket + you can tell them how to adjust their behavior... like... stop logging in with a bad password or you will be blocked...
1) What is this Identity Protection | Risky Users?
Whatever you determine as your policy.
2) What can we do with it?
For me, I have many rules.
1x example, anyone with a failed ssh/wordpress/other login with 5x user or password failures from the same 1x IP, over any 24x period, that IP is blocked for 1x hour.
3) any follow-up actions needed by the user?
Er... who cares... if the user is "risky", they're almost surely a hacker.
Normal users rarely exhibit "risky" behavior.
If they do, after they're blocked for a few hours, they generally open an issue ticket + you can tell them how to adjust their behavior... like... stop logging in with a bad password or you will be blocked...
ASKER
Hi David,
Title: You don't have access to this data. Please contact your global administrator to get access.
Summary:
Session ID: da1b1b67764e4398a981e5d1b7f4b2fa
Session ID: Not available
Extension: Microsoft_AAD_IAM
content: RiskyUsersBlade
Error code: 403
Title: You don't have access to this data. Please contact your global administrator to get access.
Summary:
Session ID: da1b1b67764e4398a981e5d1b7f4b2fa
Session ID: Not available
Extension: Microsoft_AAD_IAM
content: RiskyUsersBlade
Error code: 403
ASKER
Hi all,
Checked further and found this log - Azure - Ricky User.docx
Date: 12/4/2021 6:08:31 PM
Activity: Unfamiliar sign-in properties
Actor: Azure-AD
Risk State: At Risk
Level: High
Not only this user, but quite a few of users having the same risk notification.
I don't think we apply any rules, just the default.
Checked further and found this log - Azure - Ricky User.docx
Date: 12/4/2021 6:08:31 PM
Activity: Unfamiliar sign-in properties
Actor: Azure-AD
Risk State: At Risk
Level: High
Not only this user, but quite a few of users having the same risk notification.
I don't think we apply any rules, just the default.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi all,
Sorry for the long delay. Thanks for the experts' suggestions and finally got the problem resolved.
Sorry for the long delay. Thanks for the experts' suggestions and finally got the problem resolved.
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-simulate-risk