Anomalous Token alert of Defender

@Suraj Rimal

Thank you for your post!

When it comes to the policies pertaining to an anomalous token, you should be able to find these within the following locations:

1. The Policy management section in your Microsoft 365 Defender portal.
   • You can see the anomaly detection policies in the Microsoft Defender Portal, by going to Cloud Apps -> Policies -> Policy management. Then choosing the Anomaly detection policy for the policy type.
   
2. Microsoft Entra ID Protection - Risk detections in Microsoft Entra ID Protection include any identified suspicious actions related to user accounts in the directory. For more info: Sign-in risk detections.
   • You can find your MS Entra ID Protection policies from your MS Entra ID tenant -> Security -> Identity Protection.
   
3. Conditional Access Policy - Since the legacy risk policies (user risk policy or sign-in risk policy) configured in Microsoft Entra ID Protection will be retired on October 1, 2026. There's a chance your organization has already migrated to the Sign-in risk-based Conditional Access policy.
   • You can find your Conditional Access Policies within your MS Entra ID tenant -> Security -> Conditional Access.
   

Additional Links:

• Anomaly detection policies
• Sign-in risk detections - Anomalous Token
• What are risk detections? - Anomalous Token
• Sign-in risk-based Conditional Access policy
• Migrate risk policies to Conditional Access
• Microsoft Defender for Cloud Apps - How to investigate anomaly detection alerts
• Conditional Access: Token protection (preview)

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.