Risk Detections
Monitor and investigate security risk detections from Microsoft Entra ID Protection. Risk detections identify suspicious activities and potential compromises on user accounts, including sign-in anomalies, impossible travel, and credential exposures.
Warning: Risk detections are powered by Microsoft’s threat intelligence, analyzing billions of sign-ins daily to identify patterns associated with known attack techniques.
Detection Types
Sign-in Risk Detections
Detected at the time of sign-in attempt:
Anonymous IP Address
Sign-in from Tor, anonymous VPN, or proxy services.
Atypical Travel
Sign-in from unusual location based on user’s history.
Impossible Travel
Sign-ins from distant locations in impossible timeframe.
Malware-Linked IP
Sign-in from IP associated with bot or malware activity.
Unfamiliar Sign-in Properties
Unusual browser, device, or location for the user.
Password Spray
Multiple accounts targeted with common passwords.
User Risk Detections
Detected offline through analysis and external sources:
Leaked Credentials
User’s credentials found on dark web or paste sites.
Azure AD Threat Intelligence
Microsoft’s internal detection of user compromise.
Suspicious Inbox Rules
Mail forwarding rules matching known attack patterns.
Anomalous Token
Unusual token characteristics suggesting theft.
Risk Levels
High
Strong indication of compromise. Account likely actively targeted or credentials confirmed leaked. Immediate action required.
Examples: Confirmed credential leak, threat intelligence alert
Medium
Suspicious activity detected but not conclusively malicious. Investigation recommended before remediation.
Examples: Atypical travel, unfamiliar properties
Low
Minor anomaly detected. May be legitimate user behavior. Monitor but no immediate action needed.
Examples: New location, different device type
Detections List
| Column | Description |
|---|---|
| Detection Type | Category of risk detection |
| User | Affected user principal name |
| Risk Level | High, Medium, or Low severity |
| Risk State | At risk, Remediated, Dismissed |
| Detection Time | When the risk was first detected |
| Location | Geographic location of activity |
| IP Address | Source IP of suspicious activity |
Detection Details
Sign-in Information
Device, browser, operating system, and client app used. Correlation ID for linking to sign-in logs.
Location Context
IP geolocation, ASN information, whether IP is known proxy or VPN. Historical sign-in locations for comparison.
Additional Risk Factors
Other active detections on same user, related sign-in events, organization-wide attack campaigns.
Risk State Management
Confirm Compromise
Mark detection as true positive. User risk elevated to High. Triggers configured risk policies for password reset and session revoke.
Dismiss Risk
Mark detection as false positive or handled. Risk state changed to Dismissed. Helps train the detection model.
Remediate User
Force password reset or confirm user remediated. Clears user risk level after successful self-remediation.
Block User
Prevent all sign-ins until investigation complete. Use for high-confidence compromise situations.
Automated Response
Configure risk-based conditional access policies to automatically respond to detections:
- High Risk Sign-in — Block access or require MFA + password change
- Medium Risk Sign-in — Require MFA challenge
- High Risk User — Block until password reset completed
- Medium Risk User — Require secure password reset
Investigation Workflow
- Review Detection Details — Examine detection type, timing, and location context.
- Check Sign-in Logs — Correlate with full sign-in log entry for additional context.
- Contact User — Verify if activity was legitimate through alternate channel.
- Take Action — Confirm compromise, dismiss, or remediate based on findings.
- Document Findings — Record investigation outcome for audit trail.
Best Practices
- Configure automated policies — Set up risk-based conditional access to respond immediately to high-risk events.
- Review detections regularly — Investigate medium and low risk detections to catch attacks early.
- Provide feedback on detections — Confirm or dismiss detections to improve detection accuracy over time.
- Don’t ignore low risk — Attackers often trigger low risk detections during reconnaissance phases.
API Reference
GET /api/security/risk-detections— List all risk detectionsGET /api/security/risk-detections/:id— Get detection detailsPOST /api/security/risk-detections/:id/dismiss— Dismiss a risk detectionPOST /api/security/risk-detections/:id/confirm— Confirm user compromiseGET /api/security/risk-detections/summary— Get detection counts by type and severity