Skip to Content
ReportsSecurity ReportsRisky Sign-Ins Report

Risky Sign-Ins Report

Sign-in events flagged as risky by Microsoft Entra ID Protection. Monitor suspicious authentication attempts, investigate potential account compromise, and take remediation actions.

Overview

The Risky Sign-Ins Report displays all sign-in events that Entra ID Protection has identified as potentially compromised. Risk is assessed based on factors such as impossible travel, unfamiliar locations, malware-linked IP addresses, and anomalous sign-in properties.

Report Columns

ColumnDescription
Date/TimeWhen the risky sign-in occurred
UserUser principal name and display name
IP AddressSource IP address of the sign-in
LocationGeographic location based on IP
Risk LevelLow, Medium, or High
Risk StateAt Risk, Confirmed Compromised, Dismissed, or Remediated
Risk DetailSpecific risk detection type
ApplicationTarget application
DeviceDevice and browser information
MFA SatisfiedWhether MFA was completed

Risk Detection Types

  • Impossible travel — Sign-ins from distant locations in an impossible time frame
  • Unfamiliar sign-in properties — Sign-in from a new device, location, or network
  • Malware-linked IP — Sign-in from an IP associated with malware activity
  • Anonymous IP — Sign-in from a Tor or VPN anonymizer
  • Password spray — Multiple failed attempts consistent with spray attacks
  • Leaked credentials — User credentials found in known data breaches
  • Anomalous token — Unusual token characteristics detected

Risk Levels

  • High — Strong indicators of compromise; immediate investigation recommended
  • Medium — Suspicious activity detected; review and monitor
  • Low — Minor anomaly detected; may be benign

Remediation Actions

  1. Require password change — Force the user to reset their password
  2. Require MFA — Require re-authentication with MFA
  3. Block sign-in — Temporarily block the user account
  4. Confirm compromised — Mark the account as compromised for investigation
  5. Dismiss — Mark as false positive after investigation

Filters

  • Date Range — Last 24 hours, 7 days, 30 days, or custom
  • Risk Level — High, Medium, Low
  • Risk State — At Risk, Confirmed, Dismissed, Remediated
  • Detection Type — Filter by specific risk detection
  • Tenant — Filter by managed tenant

Graph API Data Sources

  • GET /identityProtection/riskySignIns (deprecated)
  • GET /identityProtection/riskDetections

API Reference

  • GET /api/reports/security/risky-sign-ins — Get risky sign-ins report
  • POST /api/reports/security/risky-sign-ins/{id}/remediate — Take action on a risky sign-in
  • POST /api/reports/security/risky-sign-ins/export — Export report data
Last updated on
MFA Status ReportRisky Users Report