Knowing which users are at risk and why they're at risk is a key responsibility of security and identity administrators. The Risky user report in Microsoft Entra ID Protection provides the full report, along with a risk data summary, and an activity timeline. The Risky user report is also integrated with the Identity Risk Management Agent (Preview) for enhanced agent suggestions and insights ...
In this tutorial, you learn how to enable Microsoft Entra ID Protection to protect users when risky sign-in behavior is detected on their account.
If a user has risky user sign-in behavior, or their credentials were leaked, ID Protection uses these signals to calculate the user risk level. Administrators can configure risk-based Conditional Access policies to enforce access controls based on user risk, including requirements such as:
Most users have normal behavior that can be tracked. When their behavior falls outside this norm, it might be risky to let them sign in. You might want to block the user or ask them to complete multifactor authentication to confirm their identity. Sign-in risk represents the likelihood that an authentication request isn't from the identity owner. Organizations with Microsoft Entra ID P2 ...
Learn how to investigate risky users, detections, and sign-ins in Microsoft Entra ID Protection.
Learn how to configure user self-remediation and manually remediate risky users in Microsoft Entra ID Protection.
View the risky agent report The Risky Agents report provides a list of all agents that were flagged for risky behavior. A summary of risky agents appears on the ID Protection Dashboard. This snapshot view provides an overview of the number of agents flagged for risk by risk level. Select View risky agents to open the full report.
The Identity Risk Management Agent (Preview) in Microsoft Entra ID Protection provides proactive risk management capabilities by analyzing the risky identities and suggesting actions to remediate them. By using a Large Language Model, the agent helps security administrators review and respond to risky activities before they lead to security incidents.