learn.microsoft.com Open in urlscan Pro
2a02:26f0:480:b9a::3544  Public Scan

Submitted URL: https://go.microsoft.com/fwlink/?linkid=2016528
Effective URL: https://learn.microsoft.com/en-gb/entra/id-protection/concept-identity-protection-risks
Submission: On November 19 via api from DE — Scanned from GB

Form analysis 3 forms found in the DOM

Name: site-header-search-form-mobileGET /en-gb/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-gb/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
        data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input 
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

Name: site-header-search-formGET /en-gb/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-gb/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

javascript:

<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control has-icons-left">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
						control has-icons-left
						width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
      <span aria-hidden="true" class="icon is-small is-left">
        <span class="has-text-primary docon docon-filter-settings"></span>
      </span>
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
</form>

Text Content

Skip to main content

We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalised advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking 'Manage Cookies' at the bottom of the page.Privacy Statement
Third-Party Cookies

Accept Reject Manage cookies


MICROSOFT IGNITE

Nov 19–22, 2024

Join us this November to explore AI innovations, level up your skillset, and
expand your network.

Register now
Dismiss alert

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Learn
Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out

Learn
   
 * Discover
      
    * Documentation
      
      In-depth articles on Microsoft developer tools and technologies
   
      
    * Training
      
      Personalized learning paths and courses
   
      
    * Credentials
      
      Globally recognized, industry-endorsed credentials
   
      
    * Q&A
      
      Technical questions and answers moderated by Microsoft
   
      
    * Code Samples
      
      Code sample library for Microsoft developer tools and technologies
   
      
    * Assessments
      
      Interactive, curated guidance and recommendations
   
      
    * Shows
      
      Thousands of hours of original programming from Microsoft experts
   
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Product documentation
      
    * ASP.NET
      
    * Azure
      
    * Dynamics 365
      
    * Microsoft 365
      
    * Microsoft Copilot
      
    * Microsoft Edge
      
    * Microsoft Entra
      
    * Microsoft Graph
      
    * Microsoft Intune
      
    * Microsoft Purview
      
    * Microsoft Teams
      
    * .NET
      
    * Power Apps
      
    * Power BI
      
    * Power Platform
      
    * PowerShell
      
    * SQL
      
    * Sysinternals
      
    * Visual Studio
      
    * Windows
      
    * Windows Server
      
   
   View all products
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Development languages
      
    * C++
      
    * C#
      
    * DAX
      
    * Java
      
    * OData
      
    * OpenAPI
      
    * Power Query M
      
    * VBA
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Topics
      
    * Artificial intelligence
      
    * Compliance
      
    * DevOps
      
    * Platform engineering
      
    * Security
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   

Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out
Microsoft Entra
   
 * Microsoft Entra ID
   
 * External ID
   
 * Global Secure Access
   
 * ID Governance
   
 * Permissions Management
   
 * Microsoft Security documentation
   
 * Troubleshooting
   
 * More
     
   * Microsoft Entra ID
     
   * External ID
     
   * Global Secure Access
     
   * ID Governance
     
   * Permissions Management
     
   * Microsoft Security documentation
     
   * Troubleshooting
     
   

Admin center
Table of contents Exit focus mode

Search
Suggestions will filter as you type
 * Microsoft Entra ID Protection Documentation
 * Overview
 * Concepts
   * Microsoft Entra ID Protection dashboard
   * What are risks?
   * Risk-based access control policies
   * User sign-in experience
   * Securing workload identities
   * Microsoft Entra ID Protection and B2B users
 * How-to guides
   * Deploy Microsoft Entra ID Protection
   * Configure notifications
   * Policy configuration
   * Simulate risk detections
   * Investigate and remediate
   * Provide feedback on risk detections
   * Impact analysis workbook
 * Reference
 * Resources

Download PDF
    
 1. Learn
    
    
 2. Microsoft Entra
    
    
 3. Microsoft Entra ID Protection
    

    
 1. Learn
    
    
 2. Microsoft Entra
    
    
 3. Microsoft Entra ID Protection
    

Read in English Save
 * Add to Collections
 * Add to Plan

Table of contents Read in English Add to Collections Add to Plan Edit


--------------------------------------------------------------------------------

SHARE VIA

Facebook x.com LinkedIn Email

--------------------------------------------------------------------------------

Print
Table of contents


WHAT ARE RISK DETECTIONS?

 * Article
 * 21/08/2024
 * 23 contributors

Feedback


IN THIS ARTICLE

    
 1. Risk levels
    
 2. Real-time and offline detections
    
 3. Risk detections mapped to riskEventType
    
 4. Premium detections
    
 5. Nonpremium detections
    
 6. Common questions
    
 7. Related content
    

Show 3 more

Microsoft Entra ID Protection provides organizations with information to
suspicious activity in their tenant and allows them to respond quickly to
prevent further risk occurring. Risk detections are a powerful resource that can
include any suspicious or anomalous activity related to a user account in the
directory. ID Protection risk detections can be linked to an individual user or
sign-in event and contribute to the overall user risk score found in the Risky
Users report.

User risk detections might flag a legitimate user account as at risk, when a
potential threat actor gains access to an account by compromising their
credentials or when they detect some type of anomalous user activity. Sign-in
risk detections represent the probability that a given authentication request
isn't the authorized owner of the account. Having the ability to identify risk
at the user and sign-in level is critical for customers to be empowered to
secure their tenant.


RISK LEVELS

ID Protection categorizes risk into three tiers: low, medium, and high. Risk
levels calculated by our machine learning algorithms and represent how confident
Microsoft is that one or more of the user's credentials are known by an
unauthorized entity.

 * A risk detection with risk level High signifies that Microsoft is highly
   confident that the account is compromised.
 * A risk detection with risk level Low signifies that there are anomalies
   present in the sign-in or a user’s credential, but we're less confident that
   these anomalies mean the account is compromised.

Many detections can fire at more than one of our risk levels depending on the
number or severity of the anomalies detected. For example, Unfamiliar sign-in
properties might fire at high, medium, or low based on the confidence in the
signals. Some detections, like Leaked Credentials and Verified Threat Actor IP
are always delivered as high risk.

This risk level is important when deciding which detections to prioritize,
investigate, and remediate. They also play a key role in configuring risk based
Conditional Access policies as each policy can be set to trigger for low,
medium, high, or no risk detected. Based on the risk tolerance of your
organization, you can create policies that require MFA or password reset when ID
Protection detects a certain risk level for one of your users. These policies
can guide the user to self-remediate to resolve the risk.

Important

All "low" risk level detections and users will persist in the product for 6
months, after which they will be automatically aged out to provide a cleaner
investigation experience. Medium and high risk levels will persist until
remediated or dismissed.

Based on the risk tolerance of your organization, you can create policies that
require MFA or password reset when ID Protection detects a certain risk level.
These policies might guide the user to self-remediate and resolve the risk or
block depending on your tolerances.


REAL-TIME AND OFFLINE DETECTIONS

ID Protection utilizes techniques to increase the precision of user and sign-in
risk detections by calculating some risks in real-time or offline after
authentication. Detecting risk in real-time at sign-in gives the advantage of
identifying risk early so that customers can quickly investigate the potential
compromise. On detections that calculate risk offline, they can provide more
insight as to how the threat actor gained access to the account and the impact
on the legitimate user. Some detections can be triggered both offline and during
sign-in, which increases confidence in being precise on the compromise.

Detections triggered in real-time take 5-10 minutes to surface details in the
reports. Offline detections take up to 48 hours to surface in the reports, as it
takes time to evaluate properties of the potential risk.

Note

Our system might detect that the risk event that contributed to the risk user
risk score was either:

 * A false positive
 * The user risk was remediated by policy by either:
   * Completing multifactor authentication
   * Secure password change

Our system will dismiss the risk state and a risk detail of AI confirmed sign-in
safe will show and no longer contribute to the user’s overall risk.

On risk-detailed data, Time Detection records the exact moment a risk is
identified during a user's sign-in, which allows for real-time risk assessment
and immediate policy application to safeguard the user and organization.
Detection last updated shows the latest update to a risk detection, which could
be due to new information, risk level changes, or administrative actions, and
ensures up-to-date risk management.

These fields are essential for real-time monitoring, threat response, and
maintaining secure access to organizational resources.


RISK DETECTIONS MAPPED TO RISKEVENTTYPE

Expand table

Risk detection Detection type Type riskEventType Sign-in risk detections
Activity from anonymous IP address Offline Premium riskyIPAddress Additional
risk detected (sign-in) Real-time or Offline Nonpremium generic = Premium
detection classification for non-P2 tenants Admin confirmed user compromised
Offline Nonpremium adminConfirmedUserCompromised Anomalous Token Real-time or
Offline Premium anomalousToken Anonymous IP address Real-time Nonpremium
anonymizedIPAddress Atypical travel Offline Premium unlikelyTravel Impossible
travel Offline Premium mcasImpossibleTravel Malicious IP address Offline Premium
maliciousIPAddress Mass Access to Sensitive Files Offline Premium
mcasFinSuspiciousFileAccess Microsoft Entra threat intelligence (sign-in)
Real-time or Offline Nonpremium investigationsThreatIntelligence New country
Offline Premium newCountry Password spray Offline Premium passwordSpray
Suspicious browser Offline Premium suspiciousBrowser Suspicious inbox forwarding
Offline Premium suspiciousInboxForwarding Suspicious inbox manipulation rules
Offline Premium mcasSuspiciousInboxManipulationRules Token issuer anomaly
Offline Premium tokenIssuerAnomaly Unfamiliar sign-in properties Real-time
Premium unfamiliarFeatures Verified threat actor IP Real-time Premium
nationStateIP User risk detections Additional risk detected (user) Real-time or
Offline Nonpremium generic = Premium detection classification for non-P2 tenants
Anomalous user activity Offline Premium anomalousUserActivity Attacker in the
Middle Offline Premium attackerinTheMiddle Leaked credentials Offline Nonpremium
leakedCredentials Microsoft Entra threat intelligence (user) Real-time or
Offline Nonpremium investigationsThreatIntelligence Possible attempt to access
Primary Refresh Token (PRT) Offline Premium attemptedPrtAccess Suspicious API
Traffic Offline Premium suspiciousAPITraffic Suspicious sending patterns Offline
Premium suspiciousSendingPatterns User reported suspicious activity Offline
Premium userReportedSuspiciousActivity

For more information on workload identity risk detections go to Securing
workload identities.


PREMIUM DETECTIONS

The following premium detections are visible only to Microsoft Entra ID P2
customers.


PREMIUM SIGN-IN RISK DETECTIONS

ACTIVITY FROM ANONYMOUS IP ADDRESS

Calculated offline. This detection is discovered using information provided
by Microsoft Defender for Cloud Apps. This detection identifies that users were
active from an IP address identified as an anonymous proxy IP address.

ANOMALOUS TOKEN

Calculated in real-time or offline. This detection indicates abnormal
characteristics in the token, such as an unusual lifetime or a token played from
an unfamiliar location. This detection covers Session Tokens and Refresh Tokens.

Anomalous token is tuned to incur more noise than other detections at the same
risk level. This tradeoff is chosen to increase the likelihood of detecting
replayed tokens that might otherwise go unnoticed. There's a higher than normal
chance that some of the sessions flagged by this detection are false positives.
We recommend investigating the sessions flagged by this detection in the context
of other sign-ins from the user. If the location, application, IP address, User
Agent, or other characteristics are unexpected for the user, the administrator
should consider this risk as an indicator of potential token replay.

Tips for investigating anomalous token detections.

ATYPICAL TRAVEL

Calculated offline. This risk detection type identifies two sign-ins originating
from geographically distant locations, where at least one of the locations might
also be atypical for the user, given past behavior. The algorithm takes into
account multiple factors including the time between the two sign-ins and the
time it would take for the user to travel from the first location to the second.
This risk might indicate that a different user is using the same credentials.

The algorithm ignores obvious "false positives" contributing to the impossible
travel conditions, such as VPNs and locations regularly used by other users in
the organization. The system has an initial learning period of the earliest of
14 days or 10 logins, during which it learns a new user's sign-in behavior.

Tips for investigating atypical travel detections.

IMPOSSIBLE TRAVEL

Calculated offline. This detection is discovered using information provided
by Microsoft Defender for Cloud Apps. This detection identifies user activities
(in a single or multiple sessions) originating from geographically distant
locations within a time period shorter than the time it takes to travel from the
first location to the second. This risk might indicate that a different user is
using the same credentials.

MALICIOUS IP ADDRESS

Calculated offline. This detection indicates sign-in from a malicious IP
address. An IP address is considered malicious based on high failure rates
because of invalid credentials received from the IP address or other IP
reputation sources. In some instances, this detection triggers on previous
malicious activity.

Tips for investigating malicious IP address detections.

MASS ACCESS TO SENSITIVE FILES

Calculated offline. This detection is discovered using information provided
by Microsoft Defender for Cloud Apps. This detection looks at your environment
and triggers alerts when users access multiple files from Microsoft SharePoint
Online or Microsoft OneDrive. An alert is triggered only if the number of
accessed files is uncommon for the user and the files might contain sensitive
information.

NEW COUNTRY

Calculated offline. This detection is discovered using information provided
by Microsoft Defender for Cloud Apps. This detection considers past activity
locations to determine new and infrequent locations. The anomaly detection
engine stores information about previous locations used by users in the
organization.

PASSWORD SPRAY

Calculated offline. A password spray attack is where multiple identities are
attacked using common passwords in a unified brute force manner. The risk
detection is triggered when an account's password is valid and has an attempted
sign in. This detection signals that the user's password has correctly been
identified through a password spray attack, not that the attacker was able to
access any resources.

Tips for investigating malicious IP address detections.

SUSPICIOUS BROWSER

Calculated offline. Suspicious browser detection indicates anomalous behavior
based on suspicious sign-in activity across multiple tenants from different
countries in the same browser.

Tips for investigating suspicious browser detections.

SUSPICIOUS INBOX FORWARDING

Calculated offline. This detection is discovered using information provided
by Microsoft Defender for Cloud Apps. This detection looks for suspicious email
forwarding rules, for example, if a user created an inbox rule that forwards a
copy of all emails to an external address.

SUSPICIOUS INBOX MANIPULATION RULES

Calculated offline. This detection is discovered using information provided
by Microsoft Defender for Cloud Apps. This detection looks at your environment
and triggers alerts when suspicious rules that delete or move messages or
folders are set on a user's inbox. This detection might indicate: a user's
account is compromised, messages are being intentionally hidden, and the mailbox
is being used to distribute spam or malware in your organization.

TOKEN ISSUER ANOMALY

Calculated offline. This risk detection indicates the SAML token issuer for the
associated SAML token is potentially compromised. The claims included in the
token are unusual or match known attacker patterns.

Tips for investigating token issuer anomaly detections.

UNFAMILIAR SIGN-IN PROPERTIES

Calculated in real-time. This risk detection type considers past sign-in history
to look for anomalous sign-ins. The system stores information about previous
sign-ins, and triggers a risk detection when a sign-in occurs with properties
that are unfamiliar to the user. These properties can include IP, ASN, location,
device, browser, and tenant IP subnet. Newly created users are in a "learning
mode" period where the unfamiliar sign-in properties risk detection is turned
off while our algorithms learn the user's behavior. The learning mode duration
is dynamic and depends on how much time it takes the algorithm to gather enough
information about the user's sign-in patterns. The minimum duration is five
days. A user can go back into learning mode after a long period of inactivity.

We also run this detection for basic authentication (or legacy protocols).
Because these protocols don't have modern properties such as client ID, there's
limited data to reduce false positives. We recommend our customers to move to
modern authentication.

Unfamiliar sign-in properties can be detected on both interactive and
non-interactive sign-ins. When this detection is detected on non-interactive
sign-ins, it deserves increased scrutiny due to the risk of token replay
attacks.

Selecting an unfamiliar sign-in properties risk allows you to see more
info showing more detail about why this risk triggered.

VERIFIED THREAT ACTOR IP

Calculated in real-time. This risk detection type indicates sign-in activity
that is consistent with known IP addresses associated with nation state actors
or cyber crime groups, based on data from the Microsoft Threat Intelligence
Center (MSTIC).


PREMIUM USER RISK DETECTIONS

ANOMALOUS USER ACTIVITY

Calculated offline. This risk detection baselines normal administrative user
behavior in Microsoft Entra ID, and spots anomalous patterns of behavior like
suspicious changes to the directory. The detection is triggered against the
administrator making the change or the object that was changed.

ATTACKER IN THE MIDDLE

Calculated offline. Also known as Adversary in the Middle, this high precision
detection is triggered when an authentication session is linked to a malicious
reverse proxy. In this kind of attack, the adversary can intercept the user's
credentials, including tokens issued to the user. The Microsoft Security
Research team uses Microsoft 365 Defender to capture the identified risk and
raises the user to High risk. We recommend administrators manually investigate
the user when this detection is triggered to ensure the risk is cleared.
Clearing this risk might require secure password reset or revocation of existing
sessions.

POSSIBLE ATTEMPT TO ACCESS PRIMARY REFRESH TOKEN (PRT)

Calculated offline. This risk detection type is discovered using information
provided by Microsoft Defender for Endpoint (MDE). A Primary Refresh Token (PRT)
is a key artifact of Microsoft Entra authentication on Windows 10, Windows
Server 2016, and later versions, iOS, and Android devices. A PRT is a JSON Web
Token (JWT) issued to Microsoft first-party token brokers to enable single
sign-on (SSO) across the applications used on those devices. Attackers can
attempt to access this resource to move laterally into an organization or
perform credential theft. This detection moves users to high risk and only fires
in organizations that deploy MDE. This detection is high risk and we recommend
prompt remediation of these users. It appears infrequently in most organizations
due to its low volume.

SUSPICIOUS API TRAFFIC

Calculated offline. This risk detection is reported when abnormal GraphAPI
traffic or directory enumeration is observed. Suspicious API traffic might
suggest that a user is compromised and conducting reconnaissance in the
environment.

SUSPICIOUS SENDING PATTERNS

Calculated offline. This risk detection type is discovered using information
provided by Microsoft Defender for Office 365 (MDO). This alert is generated
when someone in your organization sent suspicious email and is either at risk of
being or is restricted from sending email. This detection moves users to medium
risk and only fires in organizations that deploy MDO. This detection is
low-volume and is seen infrequently in most organizations.

USER REPORTED SUSPICIOUS ACTIVITY

Calculated offline. This risk detection is reported when a user denies a
multifactor authentication (MFA) prompt and reports it as suspicious activity.
An MFA prompt not initiated by a user might mean their credentials are
compromised.


NONPREMIUM DETECTIONS

Customers without Microsoft Entra ID P2 licenses receive detections titled
Additional risk detected without the detailed information regarding the
detection that customers with P2 licenses do. For more information, see the
license requirements.


NONPREMIUM SIGN-IN RISK DETECTIONS

ADDITIONAL RISK DETECTED (SIGN-IN)

Calculated in real-time or offline. This detection indicates that one of the
premium detections was detected. Since the premium detections are visible only
to Microsoft Entra ID P2 customers, they're titled Additional risk detected for
customers without Microsoft Entra ID P2 licenses.

ADMIN CONFIRMED USER COMPROMISED

Calculated offline. This detection indicates an administrator selected Confirm
user compromised in the risky users UI or using riskyUsers API. To see which
administrator confirmed this user compromised, check the user's risk history
(via UI or API).

ANONYMOUS IP ADDRESS

Calculated in real-time. This risk detection type indicates sign-ins from an
anonymous IP address (for example, Tor browser or anonymous VPN). These IP
addresses are typically used by actors who want to hide their sign-in
information (IP address, location, device, and so on) for potentially malicious
intent.

MICROSOFT ENTRA THREAT INTELLIGENCE (SIGN-IN)

Calculated in real-time or offline. This risk detection type indicates user
activity that is unusual for the user or consistent with known attack patterns.
This detection is based on Microsoft's internal and external threat intelligence
sources.

Tips for investigating Microsoft Entra threat intelligence detections.


NONPREMIUM USER RISK DETECTIONS

ADDITIONAL RISK DETECTED (USER)

Calculated in real-time or offline. This detection indicates that one of the
premium detections was detected. Since the premium detections are visible only
to Microsoft Entra ID P2 customers, they're titled Additional risk detected for
customers without Microsoft Entra ID P2 licenses.

LEAKED CREDENTIALS

Calculated offline. This risk detection type indicates that the user's valid
credentials leaked. When cybercriminals compromise valid passwords of legitimate
users, they often share these gathered credentials. This sharing is typically
done by posting publicly on the dark web, paste sites, or by trading and selling
the credentials on the black market. When the Microsoft leaked credentials
service acquires user credentials from the dark web, paste sites, or other
sources, they're checked against Microsoft Entra users' current valid
credentials to find valid matches. For more information about leaked
credentials, see common questions.

Tips for investigating leaked credentials detections.

MICROSOFT ENTRA THREAT INTELLIGENCE (USER)

Calculated offline. This risk detection type indicates user activity that is
unusual for the user or consistent with known attack patterns. This detection is
based on Microsoft's internal and external threat intelligence sources.

Tips for investigating Microsoft Entra threat intelligence detections.


COMMON QUESTIONS


WHAT IF INCORRECT CREDENTIALS WERE USED TO ATTEMPT TO SIGN-IN?

ID Protection generates risk detections only when the correct credentials are
used. If incorrect credentials are used on a sign-in, it doesn't represent risk
of credential compromise.


IS PASSWORD HASH SYNCHRONIZATION REQUIRED?

Risk detections like leaked credentials require the presence of password hashes
for detection to occur. For more information about password hash
synchronization, see the article, Implement password hash synchronization with
Microsoft Entra Connect Sync.


WHY ARE RISK DETECTIONS GENERATED FOR DISABLED ACCOUNTS?

User accounts in a disabled state can be re-enabled. If the credentials of a
disabled account are compromised, and the account gets re-enabled, bad actors
might use those credentials to gain access. ID Protection generates risk
detections for suspicious activities against these disabled accounts to alert
customers about potential account compromise. If an account is no longer in use
and won't be re-enabled, customers should consider deleting it to prevent
compromise. No risk detections are generated for deleted accounts.


COMMON LEAKED CREDENTIALS QUESTIONS

WHERE DOES MICROSOFT FIND LEAKED CREDENTIALS?

Microsoft finds leaked credentials in various places, including:

 * Public paste sites where bad actors typically post such material.
 * Law enforcement agencies.
 * Other groups at Microsoft doing dark web research.

WHY AM I NOT SEEING ANY LEAKED CREDENTIALS?

Leaked credentials are processed anytime Microsoft finds a new, publicly
available batch. Because of the sensitive nature, the leaked credentials are
deleted shortly after processing. Only new leaked credentials found after you
enable password hash synchronization (PHS) are processed against your tenant.
Verifying against previously found credential pairs isn't done.

I DON'T SEE ANY LEAKED CREDENTIAL RISK EVENTS

If you don't see any leaked credential risk events, it is because of the
following reasons:

 * You don't have PHS enabled for your tenant.
 * Microsoft didn't find any leaked credential pairs that match your users.

HOW OFTEN DOES MICROSOFT PROCESS NEW CREDENTIALS?

Credentials are processed immediately after they're found, normally in multiple
batches per day.


LOCATIONS

Location in risk detections is determined using IP address lookup. Sign-ins from
trusted named locations improve the accuracy of Microsoft Entra ID Protection's
risk calculation, lowering a user's sign-in risk when they authenticate from a
location marked as trusted.


RELATED CONTENT

 * Learn about risk-based access policies
 * Learn how to investigate risk





--------------------------------------------------------------------------------


FEEDBACK

Was this page helpful?

Yes No
Provide product feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES



--------------------------------------------------------------------------------

Training

Module

Examine Microsoft Entra ID Protection - Training

This module examines how Azure Identity Protection provides organizations the
same protection systems used by Microsoft to secure identities. MS-102

Certification

Microsoft Certified: Security Operations Analyst Associate - Certifications

Investigate, search for, and mitigate threats using Microsoft Sentinel,
Microsoft Defender for Cloud, and Microsoft 365 Defender.



English (United Kingdom)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024


ADDITIONAL RESOURCES



--------------------------------------------------------------------------------

Training

Module

Examine Microsoft Entra ID Protection - Training

This module examines how Azure Identity Protection provides organizations the
same protection systems used by Microsoft to secure identities. MS-102

Certification

Microsoft Certified: Security Operations Analyst Associate - Certifications

Investigate, search for, and mitigate threats using Microsoft Sentinel,
Microsoft Defender for Cloud, and Microsoft 365 Defender.




IN THIS ARTICLE



English (United Kingdom)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024