Skip to content

Commit 011833a

Browse files
Jak-MSJak-MS
authored
Merge pull request #103656 from Yochana-H/patch-4
How to remediate through Graph when not in UX
2 parents df20905 + e236371 commit 011833a

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

articles/active-directory/identity-protection/troubleshooting-identity-protection-faq.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ sections:
8989
9090
### Why am I seeing a user with a low (or above) risk score, even if no risky sign-ins or risk detections are shown in Identity Protection?
9191
92-
Given the user risk is cumulative in nature and doesn't expire, a user may have a user risk of low or above even if there are no recent risky sign-ins or risk detections shown in Identity Protection. This situation could happen if the only malicious activity on a user took place beyond the timeframe for which we store the details of risky sign-ins and risk detections. We don't expire user risk because bad actors have been known to stay in customers' environment over 140 days behind a compromised identity before ramping up their attack. Customers can review the user's risk timeline to understand why a user is at risk by going to: `Azure portal > Azure Active Directory > Risky users report > select an at-risk user > details drawer > Risk history tab`
92+
Given the user risk is cumulative in nature and doesn't expire, a user may have a user risk of low or above even if there are no recent risky sign-ins or risk detections shown in Identity Protection. This situation could happen if the only malicious activity on a user took place beyond the timeframe for which we store the details of risky sign-ins and risk detections. We don't expire user risk because bad actors have been known to stay in customers' environment over 140 days behind a compromised identity before ramping up their attack. Customers can review the user's risk timeline to understand why a user is at risk by going to: `Azure portal > Azure Active Directory > Risky users report > select an at-risk user > details drawer > Risk history tab`. If you believe the user isn't compromised, use Dismiss user risk through Graph API.
9393
9494
### Why does a sign-in have a “sign-in risk (aggregate)” score of High when the detections associated with it are of low or medium risk?
9595

0 commit comments

Comments
 (0)