Azure AD – You can now enable suspicious activities reporting (preview)

If you have been using the on-premises Azure MFA server (which by the way is going to be fully deprecated – https://azure.microsoft.com/en-us/updates/azure-multifactor-authentication-server-will-be-deprecated-30-september-2024/) you already know that end-users were able to report suspicious activities.

Well, this was a missing feature on Azure AD MFA which is now becoming available.

First you need to enable it (this is not enabled by default – probably because this is currently in preview).

To enable it, logon to you Azure AD portal (https://aad.portal.azure.com/) to access the Azure Active Directory\Security\Authentication methods\Settings blade or Entra portal (https://entra.microsoft.com/) to access the Protect & secure\Authentication methods\Settings blade

image  image

When enabling the report suspicious activities, you can select if this applies to all of your users or a specific group

image  image  image

Once enabled, you can get the report from:

  • either the Identity Protection\Risk detections blade; it will appear as User Reported Suspicious Activity for the detection type, with risk level High and source End user reported

image

  • or the Active Directory\Sign-in logs blade; it will appear as MFA denied with Fraud Code Entered

This feature works only with Authenticator prompt or phone call MFA request.

To report the suspicious activity the user has to use the No, it’s not me button on the Authenticator request

image  image


Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.