Explore Microsoft Entra ID Protection
Microsoft Entra ID Protection (also knows as Identity Protection) is a cloud-based solution that helps an organization monitor and report compromised or abused identities within its environment. Administrators can automatically monitor and report in Microsoft Entra ID Protection. They can define rules and conditions, manually by users, or a combination where users are given recommendations.
Important
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Microsoft Entra ID Protection offers identity protection to organizations by detecting attacks in near real time. It informs them of risks and applies controls to keep their enterprises safe. Most security breaches occur when attackers gain access to an environment by stealing a user’s identity.
Over time, attackers improved their effectiveness in utilizing third-party breaches and advanced phishing attacks. As soon as attackers gain access to even low privileged user accounts, it’s relatively easy for them to gain access to important company resources through lateral movement.
As a result, it's imperative that Microsoft 365 Administrators:
- protect all identities, regardless of their privilege level.
- proactively prevent abuse of compromised identities.
Discovering compromised identities is no easy task. Microsoft Entra ID uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities. Microsoft Entra ID Protection uses this data to generate reports and alerts. Given this visibility into suspicious incidents, organizations can evaluate the detected issues and take appropriate mitigation or remediation actions.
Microsoft Entra ID Protection is more than a monitoring and reporting tool. It enables organizations to protect their identities by configuring risk-based policies. Such policies can automatically respond to detected issues when users reach a specified risk level. These policies, along with other conditional access controls provided by Microsoft Entra ID and Enterprise Mobility + Security (EMS), can automatically block user actions. They can also start adaptive remediation actions, including password resets and multifactor authentication enforcement.
The following graphic shows that Microsoft Entra ID Protection is a technology inside Microsoft Entra ID. It recognizes malicious activity and calculates risks based on the user activity.
Microsoft Entra ID Protection capabilities
Microsoft detects more than 10,000 attacker-controlled IP addresses per day. It also detects and blocks more than 10 million bogus sign-in attempts per day, resulting in 1.5 million newly protected credential pairs every day. This protection results in world-class signal and battle-tested algorithms that organizations can use to protect their identity infrastructure.
This information is also the basis for the following capabilities that Microsoft Entra ID Protection provides organizations:
Detecting vulnerabilities and risky accounts. Microsoft Entra ID Protection uses all this data, analysis, and experience to generate user and sign-in risk scores. It can then notify an organization of the compromised users, risky logons, and configuration vulnerabilities in its environment before cyber criminals can exploit these issues.
Investigating risk events. Microsoft Entra ID Protection helps organizations to better protect themselves by providing a combined view into risks, remediation recommendations, and in-line response options. It uses advanced machine learning to detect suspicious activities. This process is based on signals including brute force attacks, leaked credentials, sign-in from unfamiliar locations, and infected devices.
Risk-based conditional access policies. Organizations can configure Microsoft Entra ID Protection to trigger risk-based Conditional Access policies. These policies automatically respond to threats by:
- Blocking sign-in attempts.
- Issuing Microsoft Entra multifactor authentication challenges
- Requiring users to change their credentials if the evidence is strong enough.
For example, let's assume that Microsoft Entra ID Protection’s machine learning system believes that a sign-in is coming from a new, anonymized, or bot-controlled network location. Conditional Access autoremediation can intercept the request with an adaptive two-factor challenge. Microsoft Entra ID Protection's threat intelligence or advanced machine-learning algorithms can trigger the risk-based Conditional Access policies when they detect that an attacker compromised a user's credentials. These policies can offer either automatic remediation in the form of blocking the account or, with multifactor authentication, require a user-initiated password change.
Microsoft Entra ID Protection also helps organizations identify and remediate configuration vulnerabilities. It can then integrate with Microsoft Entra Privileged Identity Management, Cloud App Discovery, and multifactor authentication to improve their security posture. Microsoft Entra ID Protection also can detect suspicious activity, including impossible sign-in attempts. Impossible, or anomalous, sign-in attempts are based on impossible travel that such activity would require. For example, it's impossible for a user to sign-in from New York and then from Sydney, Australia three hours later.
Microsoft Entra ID Protection roles
A user must be assigned one of the following roles to access Microsoft Entra ID Protection: Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator.
| Role | Can do | Can't do |
|---|---|---|
| Security Administrator | Full access to Identity Protection | Reset password for a user |
| Security Operator | View all Identity Protection reports and Overview Dismiss user risk, confirm safe sign-in, confirm compromise |
Configure or change policies Reset password for a user Configure alerts Access the Risky sign-ins report |
| Security Reader | View all Identity Protection reports and Overview | Configure or change policies Reset password for a user Configure alerts Give feedback on detections |
| Global Reader | Read-only access to Identity Protection | |
| Global Administrator | Full access to Identity Protection |
Note
Conditional Access administrators can create policies that factor in user or sign-in risk as a condition. Find more information in the article Conditional Access: Conditions.
Risk Detection through Microsoft Entra ID Protection
Microsoft Entra ID uses machine learning to detect anomalies and suspicious activity. It uses both signals detected in real time during sign-in attempts and unreal time signals related to users and their sign-in activities. Microsoft Entra ID Protection uses this data to calculate a real-time sign-in risk each time a user authenticates. It then determines an overall risk level for reach user. Microsoft Entra ID Protection enables you to automatically take action on these risk detections. You can do so by configuring user risk policies and sign-in risk policies.
Microsoft Entra ID Protection detects the following types of risk:
- Sign-in risk. Sign-in risk reflects the probability the identity owner doesn't authorize a given authentication request. There are two types of sign-in risks:
- Real-time. Microsoft Entra ID Protection detects real-time sign-in risk at the time of the given sign-in attempt (such as sign-in attempts from anonymous IP addresses).
- Total. Total sign-in risk is the aggregate of detected real-time sign-in risks and any later non-real-time risk events associated with the user’s sign-in attempts (such as impossible travel).
- User risk. User risk reflects the overall likelihood that a bad actor compromised a given identity. User risk contains all the risk activities for a given user, including:
- Real-time sign-in risk
- Later sign-in risk
- Risky user detections
Microsoft Entra ID Protection notifications
Microsoft Entra ID Protection sends two types of automated notification emails to help you manage user risk and risk detections:
- Users at risk detected email
- Weekly digest email
Note
Microsoft Entra ID Protection doesn't support sending emails to users in group-assigned roles.
Important
By default users actively assigned Global Administrator, Security Administrator, or Security Reader roles are automatically added to this list if that user has a valid "Email" or "Alternate email" configured. If a user is enrolled in PIM to elevate to one of these roles on demand, then they only receive emails if they're elevated at the time the email is sent.
Users at risk detected alerts
In response to a detected account at risk, Microsoft Entra ID Protection generates an email alert with Users at risk detected as the email Subject. The email includes a link to the Users flagged for risk report.
Tip
As a best practice, you should immediately investigate the users at risk.
The configuration for this alert allows you to specify at what user risk level you want the alert to be generated.
- The email is generated when the user's risk level reaches what you specified. For example, if you set the policy to alert on Medium user risk and your user's risk score moves to Medium risk because of a real-time sign-in risk, you receive the Users at risk detected email.
- If the user has subsequent risk detections that cause the user risk level calculation to be the specified risk level (or higher), you receive more User at risk detected emails when the user risk score is recalculated. For example, if a user moves to Medium risk on January 1, you'll receive an email notification if your settings are set to alert on Medium risk. If that same user has another risk detection on January 5 and the user risk score is recalculated but is still Medium, you receive another email notification.
An extra email notification is sent if the time the change in user risk level is more recent than the last email sent. For example, a user signs in on January 1 at 5 AM and there's no real-time risk (meaning no email would be generated because of that sign-in). 10 minutes later, at 5:10 AM, the same user signs in again and has High real-time risk, causing the user risk level to move to High and an email to be sent. Then, at 5:15 AM, the offline risk score for the original sign-in at 5 AM changes to high risk because of offline risk processing. Another user flagged for risk e-mail wouldn't be sent, since the time of the first sign-in was before the second sign-in that already triggered an email notification.
To prevent an overload of e-mails, you only receive one email within a 5-second time period. If multiple users move to the specified risk level during the same 5-second time period, Microsoft Entra ID Protection aggregates the data and sends one e-mail for all of them.
If your organization enabled self-remediation as described in the article, User experiences with Microsoft Entra ID Protection, there's a chance the user might remediate their risk before you have the opportunity to investigate. You can see risky users and risky sign-ins that were already remediated by adding Remediated to the Risk state filter in either the Risky users or Risky sign-ins reports.
As an administrator, you can configure the following settings:
- The user risk level that triggers the generation of this email. By default, the risk level is set to “High” risk.
- The recipients of this email. If you optionally define Add custom email here users, they must have the appropriate permissions to view the linked reports.
You configure the Users at risk email in the Microsoft Entra admin center under Protection > Identity Protection > Users at risk detected alerts.
Weekly digest email
The weekly digest email contains a summary of new risk detections, including:
- New risky users detected
- New risky sign-ins detected (in real time)
- Links to the related reports in Identity Protection
As an administrator, you can switch sending a weekly digest email on or off and choose the users assigned to receive the email. You configure the weekly digest email in the Microsoft Entra admin center under Protection > Identity Protection > Weekly digest.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”