Skip to content

Report Suspicious Activity & Fraud Alert for Azure MFA

A new feature popped up in Azure AD. Well, not entirely new, I must say. Reading from the docs, Report Suspicious Activity is an enhancement of the Fraud Alert feature that has existed for quite some time.

Until now, administrators could enable Fraud Alert for Azure MFA so that users could report when suspicious MFA prompts are received. Users who reported fraud could be automatically blocked so they could no longer sign in. As this is a good feature, it kills productivity, as the intervention of an admin can only remediate the user. This admin would then need to unblock the user and ensure the user’s identity was secured.

Well, good news for customers who own an Azure AD Premium P2 license: you can now integrate Fraud Alert with Azure AD Identity Protection. You can also configure the reporting code for users who use voice calls as an authentication method.

From the Azure AD portal, go to Security -> Authentication Methods -> Settings. Here you will find a new policy that can be enabled for a single group or all users.

Once enabled, users can now report suspicious activity from either Authenticator App or voice call. For the purpose of this demo, I use the Authenticator app.

Fraud Alert and the new Report Suspicious Activity can be used together. Keep in mind: if Fraud Alert is enabled with Automatic Blocking, and Report Suspicious Activity is enabled, the user will be added to the blocklist and set as high-risk and in-scope for any other policies configured. These users will need to be removed from the blocklist and have their risk remediated to enable them to sign in with MFA.

After the user reports fraud, the user risk is set to high.

The audit logs will also report that a user reports suspicious activity.

With this in place, you can now integrate with Conditional Access to force a password reset for users with high user risks. For some personas, you can also consider blocking the user.

With this policy in place, Adele is now forced to reset her password and self-remediate the risk.

As you can see, Adele could do self-remediation and stay productive and secure!

The Fraud Alert feature is available for both P1 and P2, while the new Report Suspicious Activity feature is only available in P2, as this integrates with Azure AD Identity Protection.

More info can be found here: Configure Azure AD Multi-Factor Authentication – Microsoft Entra | Microsoft Learn

Stay safe!

11 thoughts on “Report Suspicious Activity & Fraud Alert for Azure MFA”

  1. Pingback: Intune Newsletter - 5th May 2023 - Andrew Taylor

  2. Hey, great sum-up of the feature. One thing i’m not sure about: Why should someone activate the “old” fraud alert (with or without blocking) and in addition the new feature? In our environment i use only the new “report suspicious activity” and this works really good.

    Regards,
    Patrick

    1. Hey Patrick,

      Fraud Alert and the new Report Suspicious Activity can be used together, but it is a good idea to go for the Report Suspicious Activity and disable Fraud Alert.

      1. Ok, this is in line with my oppinion. 🙂
        Do you think there are any benefits when enabling both, beside that you can use notifications send to admins when using fraud alerts in addition?

        1. I don’t see that much value in both. It also depends on your license and your needs.

          My point of view:
          If you have P1: use Fraud Alert
          If you have P2: user Report Suspicious Activity, disable Fraud Alert

          Report Suspicious Activity will give the most flexible option, as you can either block or reset password, using Identity Protection/Conditional Access.

  3. @Patrick @jan – I would like to know the answer too. What are the benefit if any enabling both. Or should one only enable Report Suspicious Activity

    1. I don’t see that much value in both. It also depends on your license and your needs.

      My point of view:
      If you have P1: use Fraud Alert
      If you have P2: user Report Suspicious Activity, disable Fraud Alert

      Report Suspicious Activity will give the most flexible option, as you can either block or reset password, using Identity Protection/Conditional Access.

  4. I don’t see that much value in both. It also depends on your license and your needs.

    My point of view:
    If you have P1: use Fraud Alert
    If you have P2: user Report Suspicious Activity, disable Fraud Alert

    Report Suspicious Activity will give the most flexible option, as you can either block or reset password, using Identity Protection/Conditional Access.

    1. Thanks, it make sense using Report Suspicious Activity and using IP or CA for password – as we have P2 Licence.
      @Patrick @jan

    1. Hi Anto,

      that setting is for phone-based MFA. So when users are called and did not initiate that call, they simply can pres 0 to report the activity.

Leave a Reply

Your email address will not be published. Required fields are marked *