How To: Give risk feedback in Microsoft Entra ID Protection

Microsoft Entra ID Protection allows you to give feedback on its risk assessment. The following document lists the scenarios where you would like to give feedback on Microsoft Entra ID Protection's risk assessment and how we incorporate it.

Your feedback helps us optimize detections in the future, improve their accuracy, and reduce false positives.

What is a detection?

An ID Protection detection is an indicator of suspicious activity from an identity risk perspective. These suspicious activities are called risk detections. These identity-based detections can be based on heuristics, machine learning or can come from partner products. These detections are used to determine sign-in risk and user risk,

• User risk represents the probability an identity is compromised.
• Sign-in risk represents the probability a sign-in is compromised (for example, the identity owner didn't authorize the sign-in).

Why should I give risk feedback to risk assessments?

There are several reasons why you should give risk feedback:

• You found Microsoft Entra ID Protection user or sign-in risk assessment incorrect. For example, a sign-in shown in Risky sign-ins report was benign and all the detections on that sign-in were false positives.
• You validated that Microsoft Entra ID Protection user or sign-in risk assessment was correct. For example, a sign-in shown in Risky sign-ins report was indeed malicious and you want Microsoft Entra ID to know that all the detections on that sign-in were true positives.
• You remediated the risk on that user outside of Microsoft Entra ID Protection and you want the user's risk level to be updated.

How does Microsoft use my risk feedback?

Microsoft uses your feedback to update the risk of the underlying user and/or sign-in and the accuracy of these events. This feedback helps secure the end user. For example, once you confirm a sign-in is compromised, We immediately increase the user's risk and sign-in's aggregate risk (not real-time risk) to high. If this user is included in your user risk policy to force high risk users to securely reset their passwords, they're able to automatically remediate the next time they sign-in.

Microsoft Entra ID Protection offers the following actions an administrator might take on risky sign-ins:

• Confirm sign-in compromised – This action confirms the sign-in is a true positive. The sign-in is considered risky until remediation steps are taken. 
• Confirm sign-in safe – This action confirms the sign-in is a false positive. Similar sign-ins shouldn't be considered risky in the future. 
• Dismiss sign-in risk – This action is used for a benign true positive. This sign-in risk we detected is real, but not malicious, like those from a known penetration test or known activity generated by an approved application. Similar sign-ins should continue being evaluated for risk going forward.

Taking action on the user level applies to all the detections currently associated with that user. We offer the following actions an administrator might take on a risky user

• Confirm user compromised - This action confirms the user is a true positive and is currently at risk. The user is considered risky until remediation steps are taken.
• Confirm user safe - This action resolves all risk on the user. Doing so removes risk and detections on this user and places it in learning mode to relearn the usage properties. You might use this option to mark false positives.
• Dismiss user risk - This action is used for a benign true positive. This user risk we detected is real, but not malicious, like those from a known penetration test. Similar users should continue being evaluated for risk going forward.

Feedback on risk detections in ID Protection is processed offline and might take some time to update. The risk processing state column provides the current state of feedback processing.

Related content

• Microsoft Entra ID Protection risk detections reference
• Identify risky workload identities