![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 72%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Identity Manager
A tool for managing user identities, credentials, and access across on-premises and cloud environments
A user and a sign-in are classified as risky by Microsoft Entra ID Protection based on built‑in risk detections that analyze sign‑in behavior and account activity.
When a sign-in is classified as a risky sign-in
A sign-in becomes a risky sign-in when one or more risk detections are reported for that specific sign-in. During each sign-in, ID Protection evaluates real-time detections and assigns a sign-in session risk level that reflects how likely that sign-in is compromised. Examples of behaviors that can trigger sign-in risk include:
- Sign-ins from anonymous IP addresses
- Sign-ins from IP addresses with suspicious activity
- Sign-ins from unfamiliar locations
- Impossible travel to atypical locations
- Sign-ins from infected devices
- Users with leaked credentials attempting to sign in
If any such detection fires for a sign-in, it appears in the Risky sign-ins report with associated details such as:
- Application accessed
- Conditional Access policies applied
- MFA details
- Device, application, and location information
- Risk state, risk level, and detection source
ID Protection evaluates risk for both interactive and non‑interactive sign-ins, and the Risky sign-ins report shows both (filterable by sign-in type).
When a user is classified as a risky / high‑risk user
A risky user is reported when either (or both) of the following are true:
- The user has one or more risky sign-ins.
- One or more risk detections are reported directly on the account (for example, leaked credentials) even outside a specific sign-in.
The user’s user risk level (Low/Medium/High) is derived from the aggregate of these detections and their severity. A user is effectively a high‑risk user when ID Protection assesses that the likelihood the identity is compromised is high based on:
- The presence and type of account‑level risks (for example, leaked credentials)
- The number and severity of associated risky sign-ins
- Any admin actions such as Confirm user compromised, which explicitly sets user risk to High and adds an “Admin confirmed user compromised” detection. The user remains risky until remediation (for example, secure password reset) is completed.
In the Risky users report, each risky user entry reflects this aggregated view of risk across all detections and sign-ins tied to that identity.
How this is used by policies
- User risk policy uses the user’s risk level (including High) to trigger actions such as forcing a secure password change.
- Sign-in risk policy uses the sign-in risk level to trigger actions such as requiring multifactor authentication (MFA).
These policies can be configured with thresholds (Low/Medium/High) depending on how aggressively to respond to suspicious users and sign-ins.
References:
- What is Microsoft Entra ID Protection?
- Microsoft Entra ID Protection risk reports
- Microsoft Entra ID Protection risky user report
- Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra multifactor authentication or password changes
- How to investigate risk
- Microsoft Entra ID Protection scenario: Real-time risk detection for protected resources
- What are Microsoft Entra sign-in logs?
- Use Microsoft Entra ID with the Azure mobile app