Microsoft Entra ID Protection Weekly Digest reports drastically higher number of risky sign-ins than Microsoft Entra ID Identity Protection

Question

Microsoft Entra ID Protection Weekly Digest reports drastically higher number of risky sign-ins than Microsoft Entra ID Identity Protection

Tilman Schmidt 120

The number of "New risky sign-ins detected (in real-time)" reported in the Microsoft Entra ID Protection Weekly Digest for my tenant has jumped from 78 last week to 8498 this week.

I was of course alarmed and tried to investigate where this exorbitant number might originate.

However in the Microsoft Entra admin center I find no trace of this drastic rise in risky sign-ins.

The Identity Protection > Report > Risky sign-ins page shows the usual peaceful trickle of <10 events per day, all false positives as usual.

Where would I look for the source of that alarming number in the weekly digest mail?

Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-04-03T14:05:39.8833333+00:00

Hello @Tilman Schmidt ,

I understand that the number of "New risky sign-ins detected" reported in the Weekly Digest email for your tenant has increased significantly, from 78 last week to 8,498 this week. However, when you log into the Microsoft Entra admin center, you find no trace of these events, as the risky sign-ins are still showing fewer than 10, as usual.

There could be several reasons for this. One possibility is that the risky sign-ins have already been remediated either by the users themselves or by administrators. The portal only shows sign-ins that are still considered risky, so it's possible that those events have already been addressed. Another possible reason is that the risky sign-ins are not being displayed in the portal due to applied filters. In this case, I recommend checking if any filters are applied that could be hiding the results. In the risky sign-ins section, make sure the risk state is set correctly, as shown in the screenshot below, and see if you are able to view the risky sign-ins which the numbers triggered in Weekly digest mail.

If you are still unable to find the risky sign-ins, I would recommend checking the Microsoft Entra ID Identity Protection audit logs to see if there are any errors or issues that could be causing the problem. You can access the audit logs by going to the Azure portal and navigating to Microsoft Entra ID > Monitoring > Audit logs.

Hope this helps. Let us know if you have any additional queries. Happy to assist you further.
Tilman Schmidt 120 Reputation points

2025-04-04T09:41:03.8166667+00:00
Hello @Goutam Pratti ,

thank you for your answer.

When I set the filters on the Risky sign-ins page to include all risk states, the number of entries for the reported week rose to 107, still far from the 8498 in the report. Those included

84 entries with Risk state == Remediated

11 entries with Risk state == Dismissed

9 entries with Risk state == At risk

3 entries with Risk state == Confirmed safe

On a hunch, I then removed all risk states from the filter instead:

This revealed a lot of entries where the Risk state column just contains a dash.

When opening the details on one of these, the top menu bar is greyed out and the Risk info tab just shows the notice: "No risk events" (sic!)

I can't tell the actual number yet because the portal doesn't show a count and I am still waiting for the download, but from what I see there are about six entries per second, which would add up to 3.6 million for a week, so now I am way off in the opposite direction. (I should probably abort the download but I see no way to do that.)

I checked the Audit logs and didn't find any issues that look like they might explain the discrepancy, though I have to admit I don't really know what I am actually looking for. The majority of the failures are for Service/Category: Core Directory/Device which I guess is not relevant. Runner-up is Self-service Password Management/UserManagement which doesn't appear relevant either.

Any further advice? Should I just drop the investigation and file it away as a singular glitch?

Thanks,

Tilman
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-04-07T16:13:03.26+00:00

Hello @Tilman Schmidt ,

Following up to see the above suggestion is helpful. Let us know if you have any additional queries. Happy to assist you further.
Tilman Schmidt 120 Reputation points

2025-04-08T08:30:52.0266667+00:00

Hello @Goutam Pratti ,

thanks, it is helpful. Now I know that I should just ignore the Protection Weekly Digest. I'll look into disabling it.

Best,

Tilman
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-04-08T08:57:06.4733333+00:00

Hello @Tilman Schmidt ,

Thank you for the confirmation as it is helpful.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Accepted answer

0 additional answers

Your answer

Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-04-03T14:05:39.8833333+00:00

Hello @Tilman Schmidt ,

I understand that the number of "New risky sign-ins detected" reported in the Weekly Digest email for your tenant has increased significantly, from 78 last week to 8,498 this week. However, when you log into the Microsoft Entra admin center, you find no trace of these events, as the risky sign-ins are still showing fewer than 10, as usual.

There could be several reasons for this. One possibility is that the risky sign-ins have already been remediated either by the users themselves or by administrators. The portal only shows sign-ins that are still considered risky, so it's possible that those events have already been addressed. Another possible reason is that the risky sign-ins are not being displayed in the portal due to applied filters. In this case, I recommend checking if any filters are applied that could be hiding the results. In the risky sign-ins section, make sure the risk state is set correctly, as shown in the screenshot below, and see if you are able to view the risky sign-ins which the numbers triggered in Weekly digest mail.

If you are still unable to find the risky sign-ins, I would recommend checking the Microsoft Entra ID Identity Protection audit logs to see if there are any errors or issues that could be causing the problem. You can access the audit logs by going to the Azure portal and navigating to Microsoft Entra ID > Monitoring > Audit logs.

Hope this helps. Let us know if you have any additional queries. Happy to assist you further.
Tilman Schmidt 120 Reputation points

2025-04-04T09:41:03.8166667+00:00

Hello @Goutam Pratti ,

thank you for your answer.

When I set the filters on the Risky sign-ins page to include all risk states, the number of entries for the reported week rose to 107, still far from the 8498 in the report. Those included

84 entries with Risk state == Remediated

11 entries with Risk state == Dismissed

9 entries with Risk state == At risk

3 entries with Risk state == Confirmed safe

On a hunch, I then removed all risk states from the filter instead:

This revealed a lot of entries where the Risk state column just contains a dash.

When opening the details on one of these, the top menu bar is greyed out and the Risk info tab just shows the notice: "No risk events" (sic!)

I can't tell the actual number yet because the portal doesn't show a count and I am still waiting for the download, but from what I see there are about six entries per second, which would add up to 3.6 million for a week, so now I am way off in the opposite direction. (I should probably abort the download but I see no way to do that.)

I checked the Audit logs and didn't find any issues that look like they might explain the discrepancy, though I have to admit I don't really know what I am actually looking for. The majority of the failures are for Service/Category: Core Directory/Device which I guess is not relevant. Runner-up is Self-service Password Management/UserManagement which doesn't appear relevant either.

Any further advice? Should I just drop the investigation and file it away as a singular glitch?

Thanks,

Tilman
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-04-07T16:13:03.26+00:00

Hello @Tilman Schmidt ,

Following up to see the above suggestion is helpful. Let us know if you have any additional queries. Happy to assist you further.
Tilman Schmidt 120 Reputation points

2025-04-08T08:30:52.0266667+00:00

Hello @Goutam Pratti ,

thanks, it is helpful. Now I know that I should just ignore the Protection Weekly Digest. I'll look into disabling it.

Best,

Tilman
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-04-08T08:57:06.4733333+00:00

Hello @Tilman Schmidt ,

Thank you for the confirmation as it is helpful.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 1

Hello @Tilman Schmidt ,

You can drop the investigation because this is an Expected behavior. The real-time data displayed in the portal is dynamically calculated, meaning the numbers in the weekly digest may not exactly match what you see in the portal at a later time. The real-time detection process analyzes signals directly from the request pipeline, while the weekly digest numbers are derived from raw signals rather than aggregated data.

Additionally, if any sign-ins were incorrectly flagged as risky (false positives), Microsoft's machine learning algorithms may have automatically remediated or dismissed them. As a result, these sign-ins would no longer appear in the portal.

That's why you'll observe such differences when compares with weekly email and Azure Portal data.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Share via

Microsoft Entra ID Protection Weekly Digest reports drastically higher number of risky sign-ins than Microsoft Entra ID Identity Protection

0 additional answers

Your answer