Skip to Content
SecurityIdentity ProtectionRisky Users

Risky Users

Azure AD Identity Protection identifies users whose accounts may be compromised. Risky users have risk detections associated with their account that indicate potential credential theft or account takeover.

Warning: Identity Protection features including Risky Users require Azure AD Premium P2 or Microsoft 365 E5 licenses. Risk data is retained for 90 days.

Risk Dashboard

  • 12 — High Risk
  • 34 — Medium Risk
  • 89 — Low Risk
  • 2,341 — No Risk

Risky Users List

ColumnDescription
UserDisplay name and UPN
Risk LevelHigh, Medium, Low, or None
Risk StateAt risk, Confirmed, Dismissed, Remediated
Risk DetectionsNumber of active detections
Last Risk UpdateWhen risk was last calculated
User TypeMember or Guest

Risk Detections

Types of suspicious activity that contribute to user risk:

Leaked Credentials (High)

User’s credentials were found in a data breach on the dark web. Microsoft’s threat intelligence detected the leaked password hash.

Impossible Travel (Medium)

User signed in from two geographically distant locations in a time period that makes physical travel impossible (e.g., NYC to Tokyo in 1 hour).

Anonymous IP Address (Medium)

Sign-in from IP address associated with anonymous proxy, Tor, or VPN commonly used to hide attacker location.

Malware-Linked IP (High)

Sign-in from IP address known to be associated with malware or botnet command-and-control infrastructure.

Unfamiliar Sign-in Properties (Low)

Sign-in with properties (device, browser, location) not seen before for this user based on learned patterns.

Password Spray (High)

User account targeted in password spray attack. Multiple failed attempts using common passwords across many accounts.

Suspicious Inbox Manipulation (Medium)

Rules created that forward, delete, or hide incoming emails. Common post-compromise technique.

Risk States

At Risk

Active risk detections. User may be compromised. Requires investigation.

Confirmed Compromised

Admin confirmed the account is compromised. Full remediation required.

Remediated

User completed password reset and MFA re-registration. Risk cleared.

Dismissed

Admin determined detections were false positives. Risk cleared.

Remediation Actions

Self-Remediation (User)

If CA policy requires risk remediation, user can self-remediate by:

  • Completing MFA challenge (for sign-in risk)
  • Performing password change (for user risk)

Admin Remediation

Admin can force remediation:

  • Reset user password
  • Revoke all sessions
  • Block sign-in temporarily
  • Require MFA re-registration
  • Confirm user compromised (highest risk)

Dismiss Risk

If detections are false positives (e.g., VPN causing impossible travel), admin can dismiss the risk to clear the user.

Risk-Based Conditional Access

Automate response to risky users with Conditional Access:

Example Policy: Require password change for risky users

  • Target: All users
  • Apps: All cloud apps
  • Condition: User risk level = High
  • Grant: Require password change

Note: Create policies for different risk levels. High risk — block or require immediate remediation. Medium risk — require MFA and password change.

Investigation Workflow

  1. Review Risk Detections — Understand what triggered the risk. Check detection type and time.
  2. Check Sign-in Logs — Look for suspicious sign-ins around detection time.
  3. Review Audit Logs — Check for suspicious actions (mailbox rules, file access).
  4. Contact User — Verify if activity was legitimate (VPN, travel).
  5. Take Action — Remediate, confirm compromised, or dismiss based on findings.

API Reference

  • GET /api/security/risky-users — List risky users with risk details
  • GET /api/security/risky-users/:id — Get specific user risk details
  • GET /api/security/risky-users/:id/detections — List risk detections for user
  • POST /api/security/risky-users/:id/dismiss — Dismiss user risk
  • POST /api/security/risky-users/:id/confirm-compromised — Confirm user is compromised
Last updated on
Sign-in LogsSession Policies