Knowing which users are at risk and why they're at risk is a key responsibility of security and identity administrators. The Risky user report in Microsoft Entra ID Protection provides the full report, along with a risk data summary, and an activity timeline. The Risky user report is also integrated with the Identity Risk Management Agent (Preview) for enhanced agent suggestions and insights ...
In this tutorial, you learn how to enable Microsoft Entra ID Protection to protect users when risky sign-in behavior is detected on their account.
Learn how to investigate risky users, detections, and sign-ins in Microsoft Entra ID Protection.
I understand that users being locked out by risky sign-ins. User risk detections might flag a legitimate user account as at risk, when a potential threat actor gains access to an account by compromising their credentials or when they detect some type of anomalous user activity.
Risk detections are a powerful resource that can include any suspicious or anomalous activity related to user accounts and service principals in the directory. ID Protection risk detections can be linked to an individual user or sign-in event and contribute to the overall user risk score found in the Risky users report.
If a user has risky user sign-in behavior, or their credentials were leaked, ID Protection uses these signals to calculate the user risk level. Administrators can configure risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as:
Learn how to configure user self-remediation and manually remediate risky users in Microsoft Entra ID Protection.
Configure Diagnostic Settings for Risky Sign-Ins or Risky Users and send the event/logs to Log analytics workspace/event hub/storage account. Query Risky Activities in Log Analytics Workspace Create a Custom Detection Rule in Microsoft Sentinel and trigger a playbook or Use Logic Apps or Power Automate to disable the flagged account.