Microsoft 365 Security Administration:MS-500 Exam Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Managing and resolving risk events

The Report section of Azure AD Identity Protection provides M365 administrators with the ability to review and resolve events and detections, as shown in the following screenshot:

Figure 5.23 – Reports

You will be able to carry out investigations based on what is recorded in these sections and take steps to resolve any risks, as well as unblock any users who may have been blocked, provided it's safe to do so.

Let's look at each of the options within the Report section in detail.

Examining users at risk

A risky user is someone who's activity has matched a risk level set in Azure ID Identity Protection. When a risk is detected, alerts will be sent to administrators, as shown earlier in this chapter. However, it is important to proactively review the list of users at risk in Azure AD Identity Protection in the Azure portal and take corrective actions.

Under Risky Users, you will see a list of the users within your tenant who have been determined to be at risk. You will be able to see the user's name, Risk state, Risk level, and the date that the risk was last updated. An example of this is shown in the following screenshot:

Figure 5.24 – User at risk

To further examine users at risk, we can take the following steps:

  1. If you click on the ellipsis to the right of the status of the highlighted user, you will see more options, as follows:

    Figure 5.25 – More options

  2. Highlighting an at-risk user will provide you with a detailed summary at the bottom of the Risky Users window, as follows:

Figure 5.26 – Detail summary

Within this detail summary, you have the option to drill down and view detailed information about the user's recent activity, including the following:

  • User's sign-ins
  • User's risky sign-ins
  • User's risk detections

Based on the information that is gathered from these events, you have the option to then apply the following actions or conditions to that user:

  • Reset the user's password
  • Confirm that the user is compromised
  • Dismiss the user risk if you are confident that this is safe to do
  • Block the user

While three of these available actions are self-explanatory, should you need to confirm that a user is compromised, then that user will be moved to the High risk category in order to optimize future risk assessment, as shown in the following screenshot:

Figure 5.27 – Confirming that a user is compromised

Next, we will look at risky sign-ins.

Examining risky sign-ins

A risky sign-in is recorded in Azure ID Identity Protection when a user signs in with their Microsoft 365 account and that activity triggers a risk event.

Microsoft 365 administrators can view and manage risky sign-in activity from the Reports section of the Azure AD Identity Protection pane in the Azure portal, as follows:

  • Under Risky sign-ins, you are able to view and manage all recorded risky sign-in activity:

Figure 5.28 – Risky sign-ins

  • Highlighting an entry in this list will provide you with additional details for the sign-in event, as shown in the following screenshot:

Figure 5.29 – Risk sign-in details

  • Similar to Risky users, you are able to view risk reports, users' sign-ins, users' risky sign-ins, and sign-in risk detections from here. Upon examining the information presented here, you will have the option to confirm that the sign-in activity for the highlighted user was, in fact, compromised, as shown in the following screenshot:

Figure 5.30 – Confirm sign-in compromised

Additionally, by clicking the ellipsis, you can confirm that the sign-in was safe.

Examining risk detections

A risk is recorded in Azure ID Identity Protection whenever any event is detected that matches a risk definition.

Microsoft 365 administrators can view and manage risk detections from the Reports section of the Azure AD Identity Protection pane in the Azure portal, as follows:

  • Under Risk detections, you are able to view all recent recorded risk events:

Figure 5.31 – Risk detections

  • These events are broken down into the following sections:

    a. Detection Time

    b. User

    c. IP Address

    d. Location

    e. Detection Type

    f. Risk State

    g. Risk Level

    h. Request ID

  • Highlighting an inpidual event in the list provides more details about it, as shown in the following screenshot:

Figure 5.32 – Detected risk details

Once again, from here, you can gain access to risk reports, sign-ins and risky sign-ins, as well as risk detections.

The preceding steps provide you with the means to effectively review and manage all risk events using Azure AD Identity Protection.

Important note

Review, investigate, and remediate user risk events regularly to ensure you are keeping your Microsoft 365 tenant secure and protected. Resolve risk events as soon as you have reviewed them to keep the list of recorded events neat and manageable.

上一章目录下一章