Microsoft Azure Identity Protection - Suspicious activities with successful logins
This alert notifies on Azure Identity Protection Unfamiliar sign-in properties and Anonymous IP address alerts sent to Azure Sentinel. The results are correlated with the Azure AD SignInLogs to remove the user ids that only have failed logins.
MITRE ATT&CK Tactics
Azure Identity Protection
Please review every alert for potential false positive. Some detection types requires an extensive time for tunning before reducing the volume of false positives
Identity Protection detects sign-ins from unfamiliar locations also for basic authentication / legacy protocols. Because these protocols do not have modern familiar features such as client id, there is not enough telemetry to reduce false positives. To reduce the number of detected risk detections, you should move to modern authentication such as MFA.