LoFP LoFP / azure active directory

TitleTags
a source ip failing to authenticate with multiple users is not a common for legitimate behavior.
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
administrator may legitimately add new owners for service principals. filter as needed.
administrator may legitimately create service principal. filter as needed.
administrator may legitimately invite external guest users. filter as needed.
administrators may legitimately assign the application administrator role to a user. filter as needed.
administrators may legitimately assign the global administrator role to a user. filter as needed.
administrators may legitimately assign the privileged authentication administrator role as part of administrative tasks. filter as needed.
administrators may legitimately assign the privileged roles to service principals as part of administrative tasks. filter as needed.
although not recommended, certain users may be required without multi-factor authentication. filter as needed
as part of legitimate administrative behavior, users may activate pim roles. filter as needed
as part of legitimate administrative behavior, users may be assigned pim roles. filter as needed
certain users or applications may create multiple service principals in a short period of time for legitimate purposes. filter as needed.
details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.
false positives have been minimized by removing attempts that result in 'mfa successfully completed messages', which were found to be generated when a user opts to use a different mfa method than the default. further reductions in finding events can be achieved through filtering 'mfa denied; duplicate authentication attempt' messages within the auth_msg field, as they could arguably be considered as false positives.
in most organizations, domain federation settings will be updated infrequently. filter as needed.
in most organizations, new customm domains will be updated infrequently. filter as needed.
legitimate use case may require for users to disable mfa. filter as needed.
multiple denifed mfa requests in a short period of span may also be a sign of authentication errors. investigate and filter as needed.
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
privileged graph api permissions may be assigned for legitimate purposes. filter as needed.
service principal client credential modifications may be part of legitimate administrative operations. filter as needed.
service principals are sometimes configured to legitimately bypass the consent process for purposes of automation. filter as needed.
service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.
the full_access_as_app api permission may be assigned to legitimate applications. filter as needed.
the sourceanchor (also called immutableid) azure ad attribute has legitimate uses for directory synchronization. investigate and filter as needed.
while not common, administrators may enable accounts and reset their passwords for legitimate reasons. filter as needed.