Enhance your security in Azure AD with the new reporting feature for MFA
Microsoft has released a preview of a new feature called “Report Suspicious Activity” in Azure Active Directory (Azure AD), which plays a role when denying an authentication request for Multifactor Authentication (MFA). By enabling this feature, administrators can receive reports of suspicious activity from users and take appropriate action to mitigate any risk.
The Report Suspicious Activity feature allows users to report any suspicious login attempts that they did not initiate when they received an authentication request. Administrators can view these reports, which provide detailed information on login attempts. This information can help administrators detect and prevent security threats before any damage is done.
If you have the reporting feature disabled (which is the current default for everyone, as it is still in preview), users can only deny unauthorized login attempts by selecting “Deny” or “No, it’s not me” when prompted in the Microsoft Authenticator App. While this will temporarily prevent an attacker from accessing the targeted user’s account, it does not raise a potential security risk to IT administrators, which can leave security threats unnoticed. With the new reporting feature, users can take it a step further and will have the option to report a suspicious login attempt for further investigation. Additionally, the user status will be set to high risk, alerting admins of the event.
Enabling the reporting feature has no major downsides. However, users may be blocked from accessing their accounts after submitting a report. To prevent productivity interruptions, administrators can enable Self Service Password Reset (SSPR) for their organization. This allows users to reset their password without needing an IT admin to reset it for them. Additionally, enabling SSPR can increase your organization’s Secure Score.
To enable the reporting service feature, administrators can navigate to their organization through Azure AD, then click on Security, Authentication Methods, and Settings. From there, you can enable the feature for a specific group or for the entire organization. After enabling the feature, any suspicious activity reports will be available in Azure AD under Security and Risk Detections. These reports will be labeled as “User Reported Suspicious Activity” for detection type and will provide detailed information that can be used to take precautionary measures.
This reporting feature is a useful tool for organizations that value security and want to proactively detect and respond to potential security threats. It is particularly beneficial for small and medium-sized organizations with limited IT resources, as it allows users to contribute to the organization’s security posture. By enabling this feature, administrators can not only proactively detect and respond to potential security threats but also give users the reporting power to help strengthen the organization’s overall security.
Thank you for reading this post! If you enjoyed it, I encourage you to check out some of our other content on this blog. We have a range of articles on various topics that I think you’ll find interesting. Don’t forget to subscribe to our newsletter to stay updated with all of our latest information on Microsoft Stack.
