Avatar of SooHow Cheng
SooHow Cheng
Flag for Singapore asked on

What is this Identity Protection | Ricky users in Azure?

We are using MS Azure. In this cloud, we have the AAD Connect on OnPrem DC to sync to Azure AD for all the domain user accounts. Recently, a user feedback that he has this notification as attached Azure - Ricky Users.docx

What is this Identity Protection | Risky Users? What can we do with it? any follow-up actions needed by the user?


AzureCloud Computing

Avatar of undefined
Last Comment
SooHow Cheng

8/22/2022 - Mon
David Johnson, CD

What was the reason the user was classed as a risky user? i.e. using an vpn anonoymizer?

David Favor

Your attached document is "locked", so no way to read it.

1) What is this Identity Protection | Risky Users?

Whatever you determine as your policy.

2) What can we do with it?

For me, I have many rules.

1x example, anyone with a failed ssh/wordpress/other login with 5x user or password failures from the same 1x IP, over any 24x period, that IP is blocked for 1x hour.

3) any follow-up actions needed by the user?

Er... who cares... if the user is "risky", they're almost surely a hacker.

Normal users rarely exhibit "risky" behavior.

If they do, after they're blocked for a few hours, they generally open an issue ticket + you can tell them how to adjust their behavior... like... stop logging in with a bad password or you will be blocked...
SooHow Cheng

Hi David,

Title: You don't have access to this data. Please contact your global administrator to get access.


Session ID:          da1b1b67764e4398a981e5d1b7f4b2fa
Session ID:          Not available
Extension:            Microsoft_AAD_IAM
content:                RiskyUsersBlade
Error code:           403

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
SooHow Cheng

Hi all,

Checked further and found this log - Azure - Ricky User.docx

Date:           12/4/2021 6:08:31 PM
Activity:         Unfamiliar sign-in properties
Actor:           Azure-AD
Risk State:  At Risk
Level:           High

Not only this user, but quite a few of users having the same risk notification.

I don't think we apply any rules, just the default.

Michael B. Smith

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SooHow Cheng

Hi all,

Sorry for the long delay. Thanks for the experts' suggestions and finally got the problem resolved.