Zoho Banner September 2011

Archive for the ‘Azure AD Identity Protection’ Category

If you’re working as part of a team in Azure AD Identity Protection and want to know who dismissed a risk event (e.g. a risky sign-in), it’s not obvious where to find the information.  This article explains how to do it.

Let’s take an example.  You go into the Azure AD Identity Protection blade of the Azure portal and find a risky sign-in event.

AAD Identity Protection 7

At this point I’ve assessed that the risk is something I know about and am comfortable with dismissing it.  I go ahead and dismiss the event. Now, if another administrator comes along, how can they find out who dismissed the event?  The answer lies in the Azure AD audit log.

Go to the Azure AD blade within the Azure portal and select the Audit Logs option under the Monitoring section.

In the right-hand pane, change the Category to “Other” and the Activity to “Admin dismisses/resolves/reactivates risk event”.

AAD Identity Protection 10

From here you can determine who dismised the event as shown in the screenshot below.

AAD Identity Protection 9

And that’s it!