What are the risks of Azure AD sign-ins?
A risky sign-in is detected when a Microsoft 365 user account is accessed from unusual patterns. Microsoft Entra ID protection analyzes the risk factors associated with a sign-in event and categorizes risky sign-ins into three levels: low, medium, and, high. You can configure risk-based policies based on these risk levels to safeguard your organization.
Some common risk factors that are considered for detecting risky sign-ins in Azure AD are,
- Password spray attack : This happens when an attacker makes multiple sign-in attempts to various user accounts using a set of common passwords in a short timeframe.
- Impossible travel : It occurs when a user account is accessed from two distant locations within a short period.
- Unfamiliar sign-in properties : This situation arises when there's an effort to sign-in from properties that differ from the user's usual sign-in history. These properties include IP address, location, device, browser, and tenant IP subnet.
- Malicious IP address : This occurs when a user attempts to sign in from an IP address, which is deemed malicious due to a high number of login failures resulting from incorrect passwords.