Share via

Discrepancy Between Entra ID Protection Weekly Digest and Portal Risk Data

Matt Ohlmann 5 Reputation points
2026-03-20T14:25:37.85+00:00

MS Support-

We are reaching out to request clarification regarding a discrepancy we are observing between the Microsoft Entra ID Protection weekly digest email and the data available within the Microsoft Entra admin center.

In our most recent weekly digest email (received earlier today), the report indicates:

  • 0 new risky users detected
  • 27 new risky sign-ins detected (real-time)

However, when we attempt to validate this data within the Entra admin center, we are seeing conflicting results:

  • Risk detections:

We reviewed a one-month period with all filters applied (All risk states, All detection types, and All risk levels). The query returns no results.

  • Risky sign-ins:

We similarly reviewed with all available filters selected (All risk states, Real-time and Aggregate risk levels, All detection types, and All sign-in types). This query also returns zero results.

               *See included screenshots

Given this, the data presented in the weekly digest does not appear to align with what is available in the portal.

Could you please advise on the following:

1.       What could cause a discrepancy between the weekly digest email and the Entra admin center data?

2.       Is there a delay, retention policy, or filtering difference that would result in these events not appearing in the portal?

3.       Are “real-time” risky sign-ins reported in the digest handled or surfaced differently compared to what is searchable in the portal?

Appreciate any guidance you can provide to help us reconcile these differences.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sridevi Machavarapu 27,235 Reputation points Microsoft External Staff Moderator
    2026-03-24T05:45:07.2966667+00:00

    Hello Matt Ohlmann,

    The weekly digest is a snapshot of what Identity Protection detected during that reporting window, while the portal shows what’s still available when you query it. Because of that, it’s possible to see counts in the digest but no results in the portal.

    A few common reasons:

    1. Short-lived detections
      Risky sign-ins can be remediated quickly (for example, MFA completed or session blocked). Once resolved, they may no longer appear in the portal.
    2. Filtering in the portal
      The digest includes all detections, but the portal may not show them unless you include all risk states (especially Remediated).
    3. Timing and retention
      There can be slight delays in data availability, and retention limits can affect what’s visible depending on when you check.
    4. Different report views
      The digest counts risky sign-ins at detection time, while the portal separates this into Risk detections and Risky sign-ins, which can lead to differences if filters or views don’t align.

    To reconcile the numbers, try checking the same timeframe with all risk states included, or review/export the sign-in logs closer to when the digest was generated.

    Because of these factors, some mismatch between the digest and portal is expected.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.