Home Report Suspicious Activity can elevate User Risk!

Report Suspicious Activity can elevate User Risk!

I wanted to highlight a new Preview feature in Entra: Report Suspicious Activity can elevate User Risk!

When you enable this feature, if an end user chooses to report fraud/suspicious activity during an MFA prompt, you can raise their user risk so you can take additional actions for the user.

But more importantly, it allows organizations to use risk based CA policies to allow the appropriate user to self mitigate using Risked Based CA policies. The appropriate users can self-mitigate without having to call the helpdesk.

I’ll put links to the docs below, but let me explain more here.

I have worked with many customers who blocked users who reported fraud from MFA prompts, but this causes a burden on the SOC to review and unblock them, and also a burden on the user for doing the right thing in reporting it.

This could be blocking the user and having the SOC review to unblock them, but that is a BIG impact to the end user. If a user chooses to report it, they get penalized since now they have to contact the support desk so they can get back to work.

This disincentives users from doing it a 2nd time once they have that experience.

Now you can use that end user signal to elevate the users risk, much like “There is something abnormal happening!” and use the CA policies to block risk elevated users unless they can satisfy the CA policy controls.

Help your users become allies so they want to report the suspicious activity to block the attackers and not themselves.

This feature combined with the recent release of code match, and context not only gives end users better tools to make decisions for MFA prompts, but also a feed back mechanism to report suspicious activity.

Good security controls should help mitigate the attackers, and try to stay out of the way of the business user themselves from doing their role. We should keep this in mind when deploying security controls, as that the user experience matters.

❓Have you enabled this preview yet?

❓Have you deployed Risk Based CA policies to allow users to self-mitigate elevated risk?

Please like and share this since I think this one of those things many might not be aware of.

This was originally posted on Twitter but I wanted to capture it here for awareness.

Learn More:

This post is licensed under CC BY 4.0 by the author.


Getting Started with Microsoft Entra