If you’re working as part of a team in Azure AD Identity Protection and want to know who dismissed a risk event (e.g. a risky sign-in), it’s not obvious where to find the information. This article explains how to do it.
Let’s take an example. You go into the Azure AD Identity Protection blade of the Azure portal and find a risky sign-in event.
At this point I’ve assessed that the risk is something I know about and am comfortable with dismissing it. I go ahead and dismiss the event. Now, if another administrator comes along, how can they find out who dismissed the event? The answer lies in the Azure AD audit log.
Go to the Azure AD blade within the Azure portal and select the Audit Logs option under the Monitoring section.
In the right-hand pane, change the Category to “Other” and the Activity to “Admin dismisses/resolves/reactivates risk event”.
From here you can determine who dismised the event as shown in the screenshot below.
And that’s it!