Describe Microsoft Entra ID Protection


Identity Protection is a tool that allows organizations to accomplish three key tasks:

  • Automate the detection and remediation of identity-based risks.
  • Investigate risks using data in the portal.
  • Export risk detection data to third-party utilities for further analysis.

Microsoft analyses trillions of signals per day to identify potential threats. These signals come from learnings Microsoft has acquired from their position in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox.

The signals generated by these services are fed to Identity Protection. These signals can then be used by tools such as Conditional Access, which uses them to make access decisions. Signals are also fed to security information and event management (SIEM) tools, such as Microsoft Sentinel, for further investigation.

Detect risks

With Identity Protection, risk can be detected at the user and sign-in level, can be categorized as low, medium, or high, and may be calculated in real-time or offline.

A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Here are just a few examples of the sign-in risks that Identity Protection in Microsoft Entra ID is able to identify:

  • Anonymous IP address. This risk detection type indicates a sign-in from an anonymous IP address; for example, a Tor browser or anonymized VPNs.
  • Atypical travel. This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
  • Unfamiliar sign-in properties. This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous locations used by a user, and considers these "familiar" locations. The risk detection is triggered when the sign-in occurs from a location that's not already in the list of familiar locations.
  • Microsoft Entra threat intelligence. This risk detection type indicates sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources.

A user risk represents the probability that a given identity or account is compromised. Here are just a few examples of some of the user risks that Identity Protection in Microsoft Entra ID is able to identify:

  • Anomalous user activity. This risk detection baselines normal administrative user behavior in Microsoft Entra, and spots anomalous patterns of behavior like suspicious changes to the directory.
  • User reported suspicious activity. This risk detection is reported by a user who denied a multifactor authentication (MFA) prompt and reported it as suspicious activity. An MFA prompt that wasn't initiated by the user may mean that the user’s credentials have been compromised.
  • Leaked credentials. This risk detection type indicates that the user's valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on illicit markets. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they're checked against Microsoft Entra users' current valid credentials to find valid matches.
  • Microsoft Entra threat intelligence. This risk detection type indicates user activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources.

Identity Protection only generates risk detections when correct credentials are used in the authentication request. If a user uses incorrect credentials, it will not be flagged by Identity Protection since there isn't a risk of credential compromise unless a bad actor uses the correct credentials. Risk detections can then trigger actions such as requiring users to provide multifactor authentication, reset their password, or block access until an administrator takes action.

Investigate risks

Identity Protection provides organizations with three reports that they can use to investigate identity risks in their environment. These reports are the risky users, risky sign-ins, and risk detections. Investigation of events is key to understanding and identifying any weak points in your security strategy.

  • Risk detections: Each risk detected is reported as a risk detection.
  • Risky sign-ins: A risky sign-in is reported when there are one or more risk detections reported for that sign-in.
  • Risky users: A Risky user is reported when either or both of the following are true:
    • The user has one or more Risky sign-ins.
    • One or more risk detections have been reported.

Screen capture showing details from a risky user report.


After completing an investigation, admins will want to take action to remediate the risk or unblock users. Organizations can enable automated remediation using their risk policies. For example, risk-based conditional access policies can be enabled to require access controls such as providing a strong authentication method, perform multifactor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.

When automated remediation isn't enabled, an administrator must manually review the identified risks in the reports through the portal, through the API, or in Microsoft 365 Defender. Administrators can perform manual actions to dismiss, confirm safe, or confirm compromise on the risks.


Data from Identity Protection can be exported to other tools for archive, further investigation, and correlation. The Microsoft Graph based APIs allow organizations to collect this data for further processing in tools such as a SIEM. The data can also be sent to a Log Analytics workspace, archived data to a storage account, streamed to Event Hubs, or solutions.

Workload identity

Microsoft Entra ID Protection has historically protected users in detecting, investigating, and remediating identity-based risks. We're now extending these capabilities to workload identities to protect applications and service principals.

A workload identity is an identity that allows an application or service principal access to resources. These workload identities differ from traditional user accounts as they:

  • Can’t perform multifactor authentication.
  • Often have no formal lifecycle process.
  • Need to store their credentials or secrets somewhere.

These differences make workload identities harder to manage and put them at higher risk for compromise.

Microsoft Entra ID Protection helps organizations manage this risk by providing workload identity risk detections across sign-in behavior and other indicators of compromise.