Reading time:
3 min

Azure AD Risk Reports


Azure AD Risk Event Reports

Data Security is one of the main topics that keep IT Directors and IT Admins awake at night. Most enterprise organizations have mandated requirement to track both user and administrator actions occurring in their cloud infrastructure. For example, they’re watching out for unusual or suspicious sign-in activities on their Office 365 environment. To help with this, Microsoft provides an audit log with all the sign-in details for every user, including failed attempts. This is where the new risk events and activity reports in Microsoft Azure come into the picture. This information is very useful to help IT Admins gain insights into how users are accessing the infrastructure.

To simplify the tracking and monitoring of this detailed information we’ve introduced a brand-new set of Azure AD risk reports into our product.

These include the following:

Users with leaked credentials

In the dark web. When the service acquires username / password pairs, they are checked against Azure AD users’ current valid credentials. When a match is found, it means that a user’s password has been compromised, and a leaked credentials risk event is created.

s from anonymous IP addresses

This report indicates users who have successfully signed in from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address, and may be used for malicious intent.

Impossible travel to atypical locations

This report is useful to identify suspicious from locations that may be atypical for the user, given past behavior.


s from infected devices

This report identifies sign-ins from devices infected with malware. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server.

Azure ad risk reports

s from IP addresses with suspicious activity

This report indicates the number of failed sign-in attempts, across multiple user accounts, over a short period of time. It’s strong indicator that accounts are either already or are about to be compromised.

s from unfamiliar locations

Azure ad risk unfamiliar location

This report considers past sign-in locations to determine new / unfamiliar locations. The system stores information about previous locations used by a user, and considers these “familiar” locations. The risk event is triggered when the sign-in occurs from a location that’s not already in the list of familiar locations.


Using V-tenants inside CoreView enables Office 365 admins to segment the information in these reports. If you assign a specific administrator to ONLY view a subset of users, then that is the only grouping of user activity which will be shown in the Azure AD risk event reports for them.

These reports can also be added to the ‘Favorite Report’ area by clicking on the star icon close the report name. This enables quick and easy access under the ‘Analyze’ tab once you have logged into the portal. The columns can also be filtered, and as with other reports in CoreView, it is simple to export, save, print, or schedule the report to run on a regular basis.

In the top right corner of the table you can also adjust the time interval for the data items shown in the report. By using the drop-down picklist: yesterday, 7, 14, 30, 60 or 90 days, or your preferred range, it is possible to filter the information quickly to see only the date range that fits your reporting needs.

time interval for the data items

Would you like to view these reports within your environment? If you already have CoreView deployed, you can find this report under the ‘Audit’ tab together with other Office 365 reports. Otherwise, signup today for our free 14-day trial to see these features in action.

**Note: Your tenant must have an Azure AD Premium license associated with it to see the all up sign-in activity report.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.