Share via

Entra ID Protection Weekly Digest shows risky sign-ins, but Entra Portal reports show none

Joel Sabine 25 Reputation points
2026-06-03T00:13:55.5766667+00:00

Having ongoing issues where the Entra ID Protection Weekly Digest emails will indicate new risky sign-ins detected in real-time, however when accessing the Entra Admin Center and navigating to the 'Risky sign-ins' Report, none are shown.

From this weeks' email - 13x risky sign-ins detected:User's image

When I attempt to investigate from the Entra Admin Center - no results are shown for the last 7x days, even though I've adjusted the filters to all detection types and risk states. No combination of filters seems to show any results at all.
User's image

Any assistance would be appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Martin Egli 545 Reputation points
2026-06-03T07:58:17.7+00:00

The most important point is: the Weekly Digest and the Risky sign-ins report are not always a one-to-one view of the same data. The digest can count new risky sign-ins/detections when they occur, while the portal view depends on the report you open, the risk state filter, processing time, permissions, license level, and retention.

I would validate it in this order:

  1. In ID Protection > Risky sign-ins, set the time range to cover the digest period and explicitly include Remediated in the Risk state filter. Microsoft documents that notification emails can include detections when they occur, even if the risk is later resolved automatically, and that remediated sign-ins may not appear unless that state is included.
  2. Check ID Protection > Risk detections, not only Risky sign-ins. Some Identity Protection detections are user-risk detections or otherwise better investigated from the Risk detections report rather than the Risky sign-ins report.
  3. Wait for processing if the digest is very recent. Microsoft documents that real-time detection details can take several minutes to appear in reports, while offline detections can take longer.
  4. Confirm the account you are using has enough permission to view the reports. Microsoft’s investigation guidance lists Reports Reader as the least privileged role for viewing sign-in and audit logs.
  5. Check retention and licensing. Microsoft documents different retention windows for risky sign-ins depending on license tier, for example 7 days for Entra ID Free, 30 days for P1, and 90 days for P2.

If all of those checks still show no data, collect the digest email timestamp, the count shown in the digest, screenshots of the Risky sign-ins and Risk detections filters, your license tier, and the admin role used for the query. At that point I would open a Microsoft support case, because the digest and portal reports should at least be explainable by risk state, report type, latency, permission, license, or retention.

One practical note: I would not dismiss the alert just because the default Risky sign-ins view is empty. Treat the digest as a trigger to check both Risk detections and remediated risky sign-ins, then document why no active risk remains.

Relevant documentation:

Disclosure: Drafted with help from ChatGPT and reviewed against the Microsoft documentation linked above.

Was this answer helpful?

1 person found this answer helpful.
0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jon Elkin 5 Reputation points
    2026-06-05T22:30:00.0366667+00:00

    TL;DR: Some risky sign-in (real-time) events may have a Risk State = none, and the only way to view those is to deselect all of the Risk State filters.

    The two previous answers are wrong; "risky sign-in (in real-time)" events that were immediately auto-remediated or that were dismissed shortly after detection are still visible in the Entra admin center Identity Protection "Risky sign-ins" blade when the filters are set correctly.

    Explanation:

    The events contributing to the “New risky sign-ins detected (in real-time)” count in the weekly digest are those whose Risk level (real-time) = Low / Medium / High. The values of Risk State could be anything (At risk, Confirmed compromised, Confirmed safe, Dismissed, Remediated) or nothing. The last word here is critical.

    The natural assumption is that selecting all available Risk State values:

    • At risk
    • Confirmed compromised
    • Confirmed safe
    • Dismissed
    • Remediated

    will display all risky sign-ins. However, this is not the case. Sign-ins whose Risk State is "None" are excluded whenever any (or all) Risk State filter value is selected. Misleadingly, there is no "None" option available in the filter. So, the only way to view sign-ins whose Risk State = none is to deselect all of the Risk State filters.

    Once you do that that and also filter the Risk level (real-time) to include all values (Low, Medium, High) and you should see all the events the digest included in its count.

    It may also be helpful to customize the columns and enable display of the “Risk level (real-time)” column. This doesn't affect filtering, but since you're filtering on that column, it's useful to actually see it column.

    If anyone from Microsoft reads this, I'd like to request that they update the UI of the Risk State filter to include "None" as a selectable value. And it would also be nice to have the “Risk level (real-time)” column shown by default.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Rukmini 42,515 Reputation points Microsoft External Staff Moderator
    2026-06-03T00:37:42.85+00:00

    Hey Joel, this one turns out to be “by design” rather than a bug. The weekly digest email you get shows all new risk detections in real time – including ones that were immediately auto-remediated or that were dismissed shortly after detection. Those transient events never make it into the Risky sign-ins report in the portal, so when you go in and see “No results,” you’re only looking at sign-ins whose risk state remains active.

    Here’s the breakdown:

    • Weekly digest = a summary of every new detection triggered in that week (real-time and offline)

    • Risky sign-ins report = only includes persistent sign-in events that haven’t been remediated or dismissed

    • Some detections aren’t tied to a sign-in record at all – those show up under Risk detections rather than Risky sign-ins

    What you can do next:

    1. Head over to ID Protection > Risk detections to see all detections (even the short-lived ones)
    2. Check your risk policy settings to see if you have auto-remediation turned on, which will clear the event out of the portal report immediately
    3. If you really need to track every single detection, download the weekly digest data or pipe your logs into a SIEM via diagnostic settings

    Hope that clears it up!

    References:

    Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making. Hello @Joel Sabine

    If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    Was this answer helpful?

    1 person found this answer helpful.
  3. Martin Egli 545 Reputation points
    2026-06-06T08:21:47.3833333+00:00

    Thanks for the additional detail. I would add one correction to my accepted answer: before moving to support, also test the Risk State = none case.

    The important nuance is that selecting all visible Risk State values in the portal does not necessarily mean “include every possible state”. Microsoft Graph documents riskState on sign-in records as having possible values including none, confirmedSafe, remediated, dismissed, atRisk, and confirmedCompromised. It also documents riskLevelDuringSignIn as a separate property with values such as low, medium, and high.

    So the more precise investigation order should be:

    1. Go to Identity Protection > Risky sign-ins.
    2. Set the time range to match the Weekly Digest period.
    3. Clear/deselect all Risk State filter values rather than selecting every visible value.
    4. Filter Risk level (real-time) to include Low, Medium, and High.
    5. Customize the columns and show both Risk level (real-time) and Risk state.
    6. If those rows still do not appear, then continue with the other checks: Risk detections, processing latency, permissions, license/retention, and finally Microsoft Support if the digest cannot be reconciled.

    That makes the answer more accurate: remediated/dismissed detections and Risk detections are still valid things to check, but they are not the only explanation. A real-time risky sign-in with riskState = none can be missed if the portal filter excludes that state.

    Relevant documentation:

    Disclosure: Drafted with help from ChatGPT and reviewed against the Microsoft documentation linked above.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.