๐ก๏ธ Recipe ยท Security & Compliance
Review Risky Sign-Ins for Impossible Travel, Unfamiliar Locations, and Repeated Failures
Audit weekend and off-hours sign-in activity in Microsoft Entra ID to surface compromise indicators and triage suspicious accounts
Complexity
Intermediate
Impact
security + identity-protection + audit + incident-response + entra-id
Context
Why This Matters
Why this matters
Attackers frequently target accounts during off-hours โ weekends, holidays, and overnight windows โ when IT staff are less likely to respond quickly. Microsoft Entra ID Identity Protection and the sign-in audit logs together give you a detailed picture of every authentication attempt: where it came from, what device was used, whether it succeeded, and whether Microsoft's risk engine scored it as anomalous.
A periodic review of risky sign-ins lets you catch three high-value patterns:
- Impossible travel โ the same account authenticating from two geographically distant locations in a short time window, which usually indicates credential theft.
- Unfamiliar locations โ sign-ins from countries or networks the user has never used before, often the first visible sign of a compromised password.
- Repeated failures โ bursts of failed attempts that may indicate password spraying, brute force, or MFA fatigue attacks.
When to run it
- Every Monday morning to cover the prior weekend.
- The morning after any extended holiday.
- Ad-hoc when a user, manager, or helpdesk reports a suspicious email, device prompt, or login alert.
- As part of quarterly security reviews for privileged accounts.
Expected Outcomes
What you'll have when you finish
- A complete inventory of risky sign-ins and risk detections for the selected time window.
- A per-user breakdown of failures, locations, IP addresses, and devices used.
- A clear verdict for each flagged user โ low/medium/high risk, with the reasoning documented.
- Remediation actions taken (revoked sessions, disabled accounts, forced password resets) where warranted.
- A record suitable for compliance and audit trails (SOC 2, ISO 27001, HIPAA incident logs).
Risks & Considerations
Cautions
- Don't disable accounts reflexively. Multiple cities within a single country or 5โ10 IPs over a weekend are usually ISP/mobile carrier routing, not compromise. Investigate before containing.
- Error code 65001 is not a credential attack. It means admin consent has not been granted for an application. Don't treat it as a brute-force indicator.
- Aggregated location data can mislead. If a tool groups sign-ins by "all locations seen," a user who signed in from Israel last month and Las Vegas this weekend may look like impossible travel. Always drill into the chronological timeline before concluding.
- Privileged accounts deserve extra scrutiny. Any anomaly on a Global Admin, Privileged Role Admin, or Exchange Admin account should be treated as high severity even if the evidence is thin.
- Preserve evidence before remediating. Export the sign-in log rows and risk detections to immutable storage before revoking sessions or resetting passwords โ you may need them for a formal investigation.
- Identity Protection requires Entra ID P2 (or Microsoft 365 E5). Without it, the
riskyUsersandriskDetectionsendpoints return limited or no data and you must rely on the raw sign-in logs.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| AuditLog.Read.All | Read the Entra ID sign-in audit logs to retrieve success and failure events, locations, IPs, and device details. |
| IdentityRiskyUser.Read.All | Query currently risky users and their risk state (atRisk, confirmedCompromised, remediated). |
| IdentityRiskEvent.Read.All | Read Identity Protection risk detections (impossible travel, unfamiliar sign-in, leaked credentials, etc.). |
| User.ReadWrite.All | Required if you act on findings โ disable accounts or update user properties. |
| Directory.Read.All | Resolve user IDs to UPNs and display names, and read directory role memberships for privileged-account context. |
| User.RevokeSessions.All | Revoke active refresh tokens for compromised or suspicious accounts via /revokeSignInSessions. |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin
Review risky sign-ins from the past weekend (or the window {start_date} to {end_date}). Surface impossible travel, unfamiliar locations, and repeated failures. For each flagged user, give me a verdict (benign / investigate / contain) with evidence, and propose remediation actions where warranted.