AZ 500: Configure risk event detections

Peter Benjamin 21 Reputation points

I have a question about the risk levels referring to Microsoft Learn (AZ-500 part-1: Manage Identity and Access / Deploy Azure AD identity protection / Configure risk event detections).

What are the official recommendations for the following risks;
Users with leaked credentials -> High
s from anonymous IP addresses -> Medium
Impossible travel to atypical locations -> Medium
s from infected devices -> Low / Medium ?
from unfamiliar locations -> Medium
Sign-ins from IP addresses with suspicious activity -> Medium / Low ?

Especially on the points: "Sign-ins from infected devices" and "Sign-ins from IP addresses with suspicious activity", I have seen disagreement in forums as well.
What are the official level recommendations from Microsoft?

Thanks for your effort in advance.

Kind regards


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,543 questions
No comments
{count} votes

Accepted answer
  1. Andy David - MVP 115.3K Reputation points MVP

    Well, thats the thing, they are calculated by Microsoft either in real time or offline and then you have CA policies that block based on that risk level. If you choose to block high risk, sign-ins require MFA for medium etc... . So there isnt a standard list of this will be high , this will be medium...

    1 person found this answer helpful.

2 additional answers

Sort by: Oldest
  1. Andy David - MVP 115.3K Reputation points MVP

    Not sure what the question is. Microsoft assigns the risk, you don't.

  2. AmanpreetSingh-MSFT 55,396 Reputation points

    Hi @Peter Benjamin • Thank you for reaching out.

    I had the same question couple of months back as the books still have this information but this information is removed from the official documentation and Azure Portal.

    Here is the official Microsoft statement regarding the risk levels for various risk detections:

    Microsoft doesn't provide specific details about how risk is calculated, we'll say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.

    This is documented here: Risk levels


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    No comments