Risk and behavior evaluation
Risk scoring and behavior detection use data-driven models to evaluate sign-in requests. You can configure how these properties are evaluated and applied in Global Session Policy rules. For example, you can configure a Global Session Policy rule to evaluate changes in user behavior and to require multifactor authentication if a user signs in from a new location or using a new device.
By manually configuring Global Session Policy rules to evaluate the risk level and to identify unusual behavior, you have control over the risk level or types of behavior you want to see reported. However, this information can also be useful without being explicitly configured in Global Session Policy rules.
To improve the visibility of this information without requiring manual configuration, organizations can report the results of the risk and behavior evaluation for all sign-in requests.
The results of the risk and behavior evaluation are added to the DebugContext in the System Log in a separate LogOnlySecurityData field. For example: