Knowing which users are at risk and why they're at risk is a key responsibility of security and identity administrators. The Risky user report in Microsoft Entra ID Protection provides the full report, along with a risk data summary, and an activity timeline. The Risky user report is also integrated with the Identity Risk Management Agent (Preview) for enhanced agent suggestions and insights ...
In this tutorial, you learn how to enable Microsoft Entra ID Protection to protect users when risky sign-in behavior is detected on their account.
Learn how to investigate risky users, detections, and sign-ins in Microsoft Entra ID Protection.
If a user has risky user sign-in behavior, or their credentials were leaked, ID Protection uses these signals to calculate the user risk level. Administrators can configure risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as:
Risk detections are a powerful resource that can include any suspicious or anomalous activity related to user accounts and service principals in the directory. ID Protection risk detections can be linked to an individual user or sign-in event and contribute to the overall user risk score found in the Risky users report.
View the risky agent report The Risky Agents report provides a list of all agents that were flagged for risky behavior. A summary of risky agents appears on the ID Protection Dashboard. This snapshot view provides an overview of the number of agents flagged for risk by risk level. Select View risky agents to open the full report.
For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view and manage risky users.