Skip to Content
ReportsSecurity ReportsRisky Users Report

Risky Users Report

Users flagged as at risk by Microsoft Entra ID Protection. Monitor user risk levels, investigate potential account compromise, and manage remediation workflows.

Overview

The Risky Users Report identifies user accounts that Entra ID Protection has flagged as potentially compromised. User risk is aggregated from individual risky sign-in detections and other risk signals to provide an overall risk assessment for each user.

Report Columns

ColumnDescription
UserDisplay name and user principal name
Risk LevelLow, Medium, or High
Risk StateAt Risk, Confirmed Compromised, Dismissed, or Remediated
Risk Last UpdatedWhen the risk level was last evaluated
Last Sign-inMost recent sign-in date
Risk DetectionsNumber of risk detections for the user
MFA RegisteredWhether the user has MFA configured
Admin AccountWhether the user holds an admin role
TenantWhich managed tenant the user belongs to

Risk Levels

  • High — Multiple risk signals or strong compromise indicators; immediate action required
  • Medium — Moderate risk signals detected; investigation recommended
  • Low — Minor risk indicators; monitor the account

Warning: Admin accounts flagged as risky should be investigated immediately as they have elevated access to organizational resources.

Risk States

StateDescription
At RiskUser has active risk detections
Confirmed CompromisedAdmin has confirmed the account is compromised
DismissedAdmin has reviewed and dismissed the risk as false positive
RemediatedUser has completed remediation (password reset, MFA challenge)

Remediation Workflow

  1. Review the user risk details and associated risk detections
  2. Determine if the risk is legitimate or a false positive
  3. If compromised, reset the user password and revoke active sessions
  4. Require MFA re-registration if authentication methods may be compromised
  5. Review recent activity for signs of data access or exfiltration
  6. Update the risk state after remediation is complete

Filters

  • Risk Level — High, Medium, Low
  • Risk State — At Risk, Confirmed, Dismissed, Remediated
  • Account Type — All users, Admins only, Non-admins only
  • MFA Status — Registered, Not Registered
  • Tenant — Filter by managed tenant

Graph API Data Sources

  • GET /identityProtection/riskyUsers
  • GET /identityProtection/riskyUsers/{id}/history

API Reference

  • GET /api/reports/security/risky-users — Get risky users report
  • POST /api/reports/security/risky-users/{id}/dismiss — Dismiss user risk
  • POST /api/reports/security/risky-users/{id}/confirmCompromised — Confirm compromise
  • POST /api/reports/security/risky-users/export — Export report data
Last updated on
Risky Sign-Ins ReportSecurity Reports