Focus on risky behaviors for improved security
Azure AD continually evaluates users, apps, and sign-in risks based on heuristics and machine learning. This process is designed to identify behaviors that may pose a threat to your business or online presence.
The Risk Detection app gives a list of risky activities that have been flagged. Since not all of these may be actual threats, this app has the capability to whitelist to suit your business needs. By whitelisting activities, your display will not be cluttered with alerts.
When Should I Worry?
Because these detections are trying to find problems before they cause damage, not every entry will represent a real security risk. Review each alert for whether it represents expected behavior, and utilize the whitelisting feature to avoid detections on regular activities.
For example, you may have a riskySignIn detection that the same employee credentials were used to log in from different continents. Since compromised credentials are a major access point, this is a real threat.
On the other hand, if you know that employee was traveling at the time, it is not surprising that he accessed the network from Houston, New York, and London in the same 24 hour period.