Edit

Share via

Microsoft Entra ID Protection risky user report

Knowing which users are at risk and why they're at risk is a key responsibility of security and identity administrators. The Risky user report in Microsoft Entra ID Protection provides the full report, along with a risk data summary, and an activity timeline.

The Risky user report is also integrated with the Identity Risk Management Agent (Preview) for enhanced agent suggestions and insights. If you have the Identity Risk Management Agent enabled, you can switch between the standard view and the agent view of the report.

This article provides an overview of the information and actions available in the Risky user report.

Prerequisites

To access this report, you need:

  • Microsoft Entra ID Free, Microsoft Entra ID P1 for limited data on users.
  • Microsoft Entra ID P2 licenses for full access to the risky user data.
  • Security Reader and Security Operator are the least privileged roles required to use the standard view of the report.
  • Security Administrator is required to use the agent view of the report and access the Identity Risk Management Agent features.
  • User Administrator is required to reset passwords.

Risky user report

The standard view of the Risky user report contains three main sections: The summary chart of risky users at each level, new risky users per day, and the full list of risky users. If you have the Identity Risk Management Agent turned on, you can use the Agent view to see agent suggestions and insights.

The Percentage of risky users at each risk level chart shows a visual representation of your user and their risk levels. This visual summary allows you to quickly see the state of things in your organization. Hover over each segment of the chart to see the percentage of users at each risk level.

Screenshot of the Percentage of risky users at each risk level chart.

The New risky users per day chart shows a timeline of when risky users were detected in your organization. The chart also indicates if risk was remediated by the user or an administrator. Hover over any point in the chart to see the breakdown of the risky users and remediation activity.

Screenshot of the New risky users per day chart.

The lower half of the report contains the full list of risky users.

  • Select the name of a risky user to see their risk details.
  • Select the checkbox next to one or more users to take action, such as confirm compromise or dismiss the risk.
  • If action options are greyed out, you need a higher privileged role. For more information, see What is Microsoft Entra ID Protection.

Screenshot of the risky users list.

Risky user details

From the Risky User Details page, you can take actions such as dismissing the risk or resetting the user's password.

From the Risky users report, select a user to view more details about their risk events and even take action on that user.

The details include basic information about the user and a timeline of recent risk activities. The Timeline section provides a chronological view of risk events associated with the user. The timeline shows when the risk was detected, the risk level, and the type of risk detected.

To see risk sign-in events together with risky user events, select the Aggregate risk signals by risky sign-ins checkbox.

Unified risk signals (Preview)

Microsoft Entra ID Protection now correlates signals from Microsoft Defender and other sources to provide unified risk signals for user risk detections. This preview feature enhances your risk detection capabilities by calculating a comprehensive Identity Risk Score based on multiple identity signals. This option must be enabled in settings.

You can view unified risk signals in both the standard view and agent view of the Risky user report. Select a user from the list to see details for each linked account associated with a risky user, helping you understand the full scope of risk across a user's identity, including linked accounts. When the Identity Risk Score is raised, the Microsoft Entra score is also raised using the unified risk signals, which can automatically trigger your risk-based Conditional Access policies.

The Identity Risk Score appears within the context of a selected user from the risky user report. The score, risk summary, and links to investigate further are provided to help you understand the risk and take appropriate action. Select the View full report in Microsoft Defender link to see the correlated signals in Microsoft Defender for Identity and investigate the risky user further.

Take action on a risky user

Taking action on the user level applies to all the detections currently associated with that user. If the action buttons are greyed out, you need a higher privileged role. Administrators can take action on users and choose to:

  • Reset password - This action revokes user's current sessions.
  • Confirm user compromised - This action is taken on a true positive. ID Protection sets the user risk to high and adds a new detection, Admin confirmed user compromised. The user is considered risky until remediation steps are taken.
  • Confirm user safe - This action is taken on a false positive. Doing so removes risk and detections on this user and places it in learning mode to relearn the usage properties. You might use this option to mark false positives.
  • Dismiss user risk - This action is taken on a benign positive user risk. This user risk we detected is real, but not malicious, like those from a known penetration test. Similar users should continue being evaluated for risk going forward.
  • Block user - This action blocks a user from signing in if attacker has access to password or ability to perform MFA.
  • Investigate with Microsoft 365 Defender - This action takes administrators to the Microsoft Defender portal to allow an administrator to investigate further.
  • Last updated on