Risky Sign-In Activity Alert

Without P2 Premium licensing we are limited with what we can do in regard to alert notifications specifically with user risky sign ins. The module in Entra is still accessible but limited on the data it provides and totally paywalled out of the ability to have it send us alerts through the service so here is a PS script that will do it for them utilizing Graph. Defining risky sign in is an event where user's sign-in attempt is flagged as suspicious due to unusual patterns or behaviors. Two scheduled tasks created to trigger - one to look back the past 10 minutes as defined in the script for any new activity and a second to send a report regardless of activity present.

redacted aadriskysignin script.pdf

We love security features that are blocked by a paywall! The solution was to use Graph API and a scheduled task running a PS script to retreive the risk events and send an email report on a daily basis or when an event triggers within the past 10 minutes.

For reference you can find the bones of this script here I have adjusted it for my needs, specifically the occurrence of it running and the $lookBackMinutes: https://gist.github.com/tora1104/e5419a1768d935d40f35bfacce1e60b3

Replaced what was at line 60-62 with:

$lookBackMinutes = 10

$startTime = (Get-Date).AddMinutes(-$lookBackMinutes).ToUniversalTime().ToString("o")

[uri]$uriGraphEndpoint = "https://graph.microsoft.com/beta/riskDetections?`$filter=activityDateTime gt $startTime and (riskState eq 'atRisk' or riskState eq 'confirmedCompromised')"

To make a near real time alert notification if it finds one.

Removed the else statement that would send an email even if an alert wasnt found.

For now we can keep the daily check so it will send us something in the morning like normal but also have this second script running to send us an alert if something occurs in between the daily checks.

There are multiple ways to skin this beast if you decided your risk tolerance doesn't allow you giving the Mail.Send permission to this custom application. I don't have the ability to utilize Azure Function with Powershell to orchestrate hence the script running locally from my network. The script is signed and running on a dedicated server.

Page updated

Report abuse