How To: Give risk feedback in Microsoft Entra ID Protection

Microsoft Entra ID Protection allows you to give feedback on its risk assessment. The following document lists the scenarios where you would like to give feedback on Microsoft Entra ID Protection's risk assessment and how we incorporate it.

Your feedback helps us optimize detections in the future, improve their accuracy, and reduce false positives.

What is a detection?

An ID Protection detection is an indicator of suspicious activity from an identity risk perspective. These suspicious activities are called risk detections. These identity-based detections can be based on heuristics, machine learning or can come from partner products. These detections are used to determine sign-in risk and user risk,

• User risk represents the probability an identity is compromised.
• Sign-in risk represents the probability a sign-in is compromised (for example, the identity owner didn't authorize the sign-in).

Why should I give risk feedback to risk assessments?

There are several reasons why you should give risk feedback:

• You found Microsoft Entra ID Protection user or sign-in risk assessment incorrect. For example, a sign-in shown in Risky sign-ins report was benign and all the detections on that sign-in were false positives.
• You validated that Microsoft Entra ID Protection user or sign-in risk assessment was correct. For example, a sign-in shown in Risky sign-ins report was indeed malicious and you want Microsoft Entra ID to know that all the detections on that sign-in were true positives.
• You remediated the risk on that user outside of Microsoft Entra ID Protection and you want the user's risk level to be updated.

How does Microsoft use my risk feedback?

Microsoft uses your feedback to update the risk of the underlying user and/or sign-in and the accuracy of these events. This feedback helps secure the end user. For example, once you confirm a sign-in is compromised, We immediately increase the user's risk and sign-in's aggregate risk (not real-time risk) to high. If this user is included in your user risk policy to force high risk users to securely reset their passwords, they're able to automatically remediate the next time they sign-in.

Microsoft Entra ID Protection offers the following actions an administrator might take on risky sign-ins:

• Confirm risk – This action confirms the sign-in is a true positive. The sign-in is considered risky until remediation steps are taken. 
• Confirm safe – This action confirms the sign-in is a false positive. Similar sign-ins shouldn't be considered risky in the future. 
• Dismiss risk – This action is used for a benign true positive. This sign-in should be marked risky, but poses no immediate risk. Similar sign-ins should continue being evaluated for risk going forward. You might use this option during an internal security penetration test.

How should I give risk feedback and what happens under the hood?

Here are the scenarios and mechanisms to give risk feedback to Microsoft Entra ID.

Scenario	How to give feedback?	What happens under the hood?	Notes
Sign-in not compromised (False positive) Risky sign-ins report shows an at-risk sign-in [Risk state = At risk] but that sign-in wasn't compromised.	Select the sign-in, then Confirm sign-in safe.	We move the sign-in's aggregate risk to none [Risk state = Confirmed safe; Risk level (Aggregate) = -] and reverse its effect on the user risk.	Currently, the Confirm sign-in safe option is only available in Risky sign-ins report.
Sign-in compromised (True positive) Risky sign-ins report shows an at-risk sign-in [Risk state = At risk] with low risk [Risk level (Aggregate) = Low] and that sign-in was indeed compromised.	Select the sign-in, then Confirm sign-in compromised.	We move the sign-in's aggregate risk and the user risk to High [Risk state = Confirmed compromised; Risk level = High].	Currently, the Confirm sign-in compromised option is only available in Risky sign-ins report.
User compromised (True positive) Risky users report shows an at-risk user [Risk state = At risk] with low risk [Risk level = Low] and that user was indeed compromised.	Select the user, then Confirm user compromised.	We move the user risk to High [Risk state = Confirmed compromised; Risk level = High] and add a new detection Admin confirmed user compromised.	Currently, the Confirm user compromised option is only available in Risky users report. The detection Admin confirmed user compromised is shown in the tab Risk detections not linked to a sign-in in the Risky users report.
User remediated outside of Microsoft Entra ID Protection (True positive + Remediated) Risky users report shows an at-risk user and I've then remediated the user outside of Microsoft Entra ID Protection.	1. Select the user, then Confirm user compromised. (This process confirms to Microsoft Entra ID that the user was indeed compromised.) 2. Wait for the user's Risk level to go to High. (This time gives Microsoft Entra ID the needed time to take the above feedback to the risk engine.) 3. Select the user, then Dismiss user risk. (This process confirms to Microsoft Entra ID that the user is no longer compromised.)	Microsoft Entra ID moves the user risk to none [Risk state = Dismissed; Risk level = -] and closes the risk on all existing sign-ins having active risk.	Clicking Dismiss user risk closes all risk on the user and past sign-ins. This action can't be undone.
User not compromised (False positive) Risky users report shows at at-risk user but the user isn't compromised.	Select the user, then Dismiss user risk. (This process confirms to Microsoft Entra ID that the user isn't compromised.)	Microsoft Entra ID moves the user risk to none [Risk state = Dismissed; Risk level = -].	Clicking Dismiss user risk closes all risk on the user and past sign-ins. This action can't be undone.
I want to close the user risk but I'm not sure whether the user is compromised / safe.	Select the user, then Dismiss user risk. (This process confirms to Microsoft Entra ID that the user is no longer compromised.)	We move the user risk to none [Risk state = Dismissed; Risk level = -].	Clicking Dismiss user risk closes all risk on the user and past sign-ins. This action can't be undone. We recommend you remediate the user by clicking on Reset password or request the user to securely reset/change their credentials.

Feedback on user risk detections in ID Protection is processed offline and might take some time to update. The risk processing state column provides the current state of feedback processing.

Related content

• Microsoft Entra ID Protection risk detections reference