LoFP LoFP / azure active directory

TitleTags
a source ip failing to authenticate with multiple users is not a common for legitimate behavior.
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
administrator may legitimately add new owners for service principals. filter as needed.
administrator may legitimately create service principal. filter as needed.
administrator may legitimately invite external guest users. filter as needed.
administrators may legitimately assign the application administrator role to a user. filter as needed.
administrators may legitimately assign the global administrator role to a user. filter as needed.
administrators may legitimately assign the privileged authentication administrator role as part of administrative tasks. filter as needed.
administrators may legitimately assign the privileged roles to service principals as part of administrative tasks. filter as needed.
administrators will legitimately assign the privileged roles users as part of administrative tasks. filter as needed.
although not recommended, certain users may be required without multi-factor authentication. filter as needed
as part of legitimate administrative behavior, users may activate pim roles. filter as needed
as part of legitimate administrative behavior, users may be assigned pim roles. filter as needed
certain users or applications may create multiple service principals in a short period of time for legitimate purposes. filter as needed.
details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.
in most organizations, domain federation settings will be updated infrequently. filter as needed.
in most organizations, new customm domains will be updated infrequently. filter as needed.
legitimate use case may require for users to disable mfa. filter as needed.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
multiple denifed mfa requests in a short period of span may also be a sign of authentication errors. investigate and filter as needed.
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
privileged graph api permissions may be assigned for legitimate purposes. filter as needed.
service principal client credential modifications may be part of legitimate administrative operations. filter as needed.
service principals are sometimes configured to legitimately bypass the consent process for purposes of automation. filter as needed.
service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.
the full_access_as_app api permission may be assigned to legitimate applications. filter as needed.
the sourceanchor (also called immutableid) azure ad attribute has legitimate uses for directory synchronization. investigate and filter as needed.
while not common, administrators may enable accounts and reset their passwords for legitimate reasons. filter as needed.