Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Defender Security & Compliance/Identities/Dashboard Alerts not loading
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 11%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Jay
0
Reputation points
Title Entra ID Protection risky users not displaying in detailed views; Defender “Active users at risk” card shows permission message
Service / Workload Microsoft Entra ID Protection / Microsoft Defender for Identity
Severity / Impact Admin/security team cannot validate or investigate risky users from either Entra or Defender dashboards. This is impacting security monitoring and incident review.
Issue summary The tenant is showing risky user activity in summary/dashboard views, but the underlying detailed data is not visible.
Current behavior observed:
- In Entra > Identity Protection > Risky users, the dashboard indicates 2 users on 04/15
- Those users do not appear in the detailed results/pages
- In Defender > Identities / Dashboard, the Active users at risk card shows a message that additional permissions are required to view the information
- This was previously available to the team
- The issue is affecting both Defender and Entra, so it does not appear limited to one portal only
- It appears the last visible sync / last meaningful data seen by the client may have been around 04/04
Expected result If the summary/dashboard shows risky users, the corresponding risky user objects and details should be visible in the detailed report pages to authorized admins.
Licensing The tenant has valid licensing present for Identity Protection:
- Entra ID P1: 512
- Entra ID P2 / ID Protection: 510
Roles / Access already tested Affected team is using PIM-based admin access. Tested roles include:
- Security Administrator
- Security Operator
Despite that, the Defender card still shows the permissions message, and Entra detailed risky-user data is also not displaying.
Troubleshooting already performed
- Verified the issue in both Defender and Entra
- Cleared / reset filters in Risky Users
- Confirmed the Risky Users page loads, but results remain empty
- Confirmed licensing is present
- Reviewed Defender dashboard
- Observed additional ITDR health message: “Unable to determine ADFS deployment” This may be separate, but included for referenceLicensing The tenant has valid licensing present for Identity Protection:
- Entra ID P1: 500
- Entra ID P2 / ID Protection: 500
Affected team is using PIM-based admin access. Tested roles include:- Security Administrator
- Security Operator
- Verified the issue in both Defender and Entra
- Cleared / reset filters in Risky Users
- Confirmed the Risky Users page loads, but results remain empty
- Confirmed licensing is present
- Reviewed Defender dashboard
- Observed additional ITDR health message: “Unable to determine ADFS deployment”
This may be separate, but included for reference
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 39,220 Reputation points Microsoft External Staff Moderator2026-04-21T02:20:25.69+00:00 Hey Jay, thanks for all the details—this really helps narrow things down. It looks like you’ve done the basics (clearing filters, validating licensing, testing Security Admin/Security Operator roles), but the “Active users at risk” card and the Entra ID Protection detailed view have some specific prerequisites around permissions and data ingestion. Here’s what I’d try next:
- Check your role assignment
- According to the Defender for Identity docs, you need at least the Security Reader role to view that “Active users at risk” widget and drill into the list of risky users.
- Security Administrator and Security Operator don’t implicitly grant that read‐only security-dashboard access.
- Have someone with Global Administrator rights assign you (or your PIM‐eligible account) the Security Reader role, then activate it in PIM before you test again. If that still doesn’t work, you can temporarily try Global Administrator just to rule out a permissions gap.
- Validate your risk data pipeline
- You mentioned the last meaningful data was around 04/04 and you’re seeing an “Unable to determine ADFS deployment” message in ITDR health. That suggests your Identity Protection signals might not be flowing in properly.
- Go to the Azure AD Connect Health blade → ADFS, and confirm your ADFS servers are connected and healthy.
- In the Microsoft Graph Explorer, run a query against
GET /identityProtection/riskyUsersto see whether any objects are returned. If Graph returns an empty list while your dashboard summary still shows 2 risky users, the portal is simply surface‐caching stale summary counts.
- Review Service Health and known issues
- Double-check the Microsoft 365 Service Health dashboard for any active advisories around Entra ID Protection or Defender for Identity.
- The Identity Security dashboard is still in Preview and rolling out globally—if the widget itself isn’t fully enabled, you can hit the same “permissions needed” message.
- Next steps if it still fails
- If assigning Security Reader + verifying ADFS health + checking Graph doesn’t surface the detailed users, I’d recommend opening a support ticket so Microsoft can look at your tenant’s telemetry and ingestion pipelines.
Reference docs:
- Identity Security dashboard prerequisites & roles: https://learn.microsoft.com/defender-for-identity/dashboard?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider
- Active users at risk widget: https://learn.microsoft.com/defender-for-identity/dashboard?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#dashboard-widgets
- Remediate risks in Entra ID Protection: https://learn.microsoft.com/entra/id-protection/howto-identity-protection-remediate-unblock
Hope this points you in the right direction—let me know how it goes!
Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
- Check your role assignment
-
Jay 0 Reputation points
2026-04-21T15:37:23.43+00:00 - Confirmed ADFS is not in use (Federation disabled; environment uses Password Hash Sync with Seamless SSO).
- Verified Identity Protection data is present and accurate in Entra (all users show riskState = remediated and no active risk).
- Successfully executed the Microsoft Graph query (GET /identityProtection/riskyUsers), which returned expected results confirming no active risky users.
- Tested with both Security Reader and Global Administrator roles (including PIM activation), but the Defender “Active users at risk” widget still displays a permissions-related message.
-
Jay 0 Reputation points
2026-04-21T15:37:39.38+00:00 - Confirmed ADFS is not in use (Federation disabled; environment uses Password Hash Sync with Seamless SSO).
- Verified Identity Protection data is present and accurate in Entra (all users show riskState = remediated and no active risk).
- Successfully executed the Microsoft Graph query (GET /identityProtection/riskyUsers), which returned expected results confirming no active risky users.
- Tested with both Security Reader and Global Administrator roles (including PIM activation), but the Defender “Active users at risk” widget still displays a permissions-related message.
-
Rukmini 39,220 Reputation points Microsoft External Staff Moderator
2026-04-22T07:02:20.6466667+00:00 Jay The behavior might be caused by stale/cached summary data + Defender widget desync between Microsoft Entra ID Protection and Microsoft Defender for Identity.
- Entra's "2 risky users" statistic is based on outdated cached data rather than current information.
- Because there are no active risk objects, the Defender "Active users at risk" card displays a false permission warning and fails.
- The system is operating properly at the backend since Microsoft Graph returns empty.
Hence you can try the below:
- For dashboards to sync, wait 24 to 48 hours for a backend data update.
- Refresh the page by: Modifying the time frame (e.g., last 7 → 30 days) Changing blades (risky users/risk detection) Ignore the ADFS warning (it has nothing to do with PHS environments).
-
Jay 0 Reputation points
2026-04-22T12:52:48.36+00:00 its been 2 weeks since its stopped working, so i would assume the 24 to 48 hours is still voided. any other suggestions '?
Sign in to comment
Sign in to answer