Report Suspicious Activity [CHK-1156]
This check verifies whether Report Suspicious Activity is enabled in Entra ID and targeted at all users. When enabled, users can flag MFA push notifications they did not initiate directly from the authenticator prompt, which marks the account as high risk and helps detect MFA fatigue attacks early.
Rationale
MFA fatigue (also known as MFA bombing) is a common technique where attackers who already possess valid credentials repeatedly trigger MFA push notifications, hoping the user will eventually approve one out of frustration or by mistake. Once approved, the attacker gains full access to the account, often bypassing other defenses.
Report Suspicious Activity gives users a clear, one-tap way to flag these unsolicited prompts. When a user reports a suspicious push, Entra ID immediately raises the user's risk level to high. This triggers any Conditional Access policies tied to user risk (such as forcing a password reset or blocking sign-in) and surfaces the account in Identity Protection for further investigation.
Leaving this feature disabled means MFA bombing attempts go unreported and unnoticed, increasing the chance that one will eventually succeed. Enabling it for all users is a low-impact, high-value control that turns every employee into a sensor for credential compromise.
Fix
An automated fix is available through Attic.
Manual steps:
- Sign in to the Entra admin center as a Security Administrator or Authentication Policy Administrator.
- Navigate to Protection > Authentication methods > Settings.
- Set Report suspicious activity to Enabled.
- Under Include, select All users (or a specific group if a phased rollout is required, but All users is recommended).
- Click Save.