Overview
We have turned on User and Sign-in Policies in our Azure environment to block user/user activity that Azure deems as High Risk. Systems and User Services staff will receive notifications when Azure classifies a user or sign-in activity as high. Should that happen, the user will be blocked from accessing any Office 365 resource if not on the NIC campus. We can review this activity in the Risky Users and Risky Sign-in pages in Azure. If the activity seems benign, we can dismiss the user's risk rating so they can access O365 resources.
Prerequisites
User must have Security Operator role or higher
Procedure
- Click on the View detailed report from the email
- If you do NOT have an email but want to review this report, log into the Azure Portal and type Risky Users in the top search bar. Click on Azure AD Risky Users and the report will appear
- Find the individual in question, click on the box next to their account and click on Dismiss User(s) Risk
- It takes a bit for the account's risk to be reset. To check on the status of the account, you can click on the Columns button and select Risk processing state.
- Once processing has completed, the user will no longer be listed as High Risk on this report. However, should the account be still involved in some high risk activity; the account could show back up on the report.
Additional Section
- If you click on the user, you can review the Sign-in, Risky Sign-in and Risk Detections for that user to review why Azure set this user to High Risk
- For more information about Risk, you can refer to this Microsoft Document