User Risk Report

Comprehensive user risk assessment combining identity protection signals, sign-in risk, and behavior analytics. Provides a unified view of user risk across all managed tenants.

Overview

The User Risk Report aggregates multiple risk signals for each user to provide a holistic risk assessment. This includes Entra ID Protection risk detections, anomalous behavior patterns, compliance violations, and data access anomalies. Use this report for proactive risk management and targeted remediation.

Report Columns

Risk Components

Identity Risk

• Risky sign-in detections from Entra ID Protection
• Failed MFA challenges
• Password spray or brute force targeting
• Leaked credential matches

Behavior Risk

• Unusual access times or patterns
• Access from new devices or locations
• Elevated privilege usage anomalies
• Mass file download or deletion activity

Compliance Risk

• DLP policy violations
• Sensitivity label policy overrides
• External sharing of restricted content
• Communication compliance violations

Data Risk

• Access to sensitive or classified content
• Large volume data exports
• External forwarding of sensitive emails
• Unauthorized application data access

Risk Scoring

Filters

• Risk Score — Filter by score range
• Risk Component — Identity, Behavior, Compliance, Data
• Risk Trend — Increasing, Stable, Decreasing
• Account Type — All users, Admins, Service Accounts
• Tenant — Filter by managed tenant

API Reference

• GET /api/reports/security/user-risk — Get user risk report
• GET /api/reports/security/user-risk/{userId} — Get risk details for a specific user
• GET /api/reports/security/user-risk/summary — Get risk summary across all users
• POST /api/reports/security/user-risk/export — Export report data