How to find out who dismissed a risk event in Azure AD Identity Protection

By | April 17, 2019

If you’re working as part of a team in Azure AD Identity Protection and want to know who dismissed a risk event (e.g. a risky sign-in), it’s not obvious where to find the information.  This article explains how to do it.

Let’s take an example.  You go into the Azure AD Identity Protection blade of the Azure portal and find a risky sign-in event.

AAD Identity Protection 7

At this point I’ve assessed that the risk is something I know about and am comfortable with dismissing it.  I go ahead and dismiss the event. Now, if another administrator comes along, how can they find out who dismissed the event?  The answer lies in the Azure AD audit log.

Go to the Azure AD blade within the Azure portal and select the Audit Logs option under the Monitoring section.

In the right-hand pane, change the Category to “Other” and the Activity to “Admin dismisses/resolves/reactivates risk event”.

AAD Identity Protection 10

From here you can determine who dismised the event as shown in the screenshot below.

AAD Identity Protection 9

And that’s it!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.