learn.microsoft.com
Open in
urlscan Pro
2a02:26f0:c6:2bb::3544
Public Scan
Submitted URL: https://go.microsoft.com/fwlink/?linkid=2016528
Effective URL: https://learn.microsoft.com/de-de/entra/id-protection/concept-identity-protection-risks
Submission: On October 25 via api from DE — Scanned from DE
Effective URL: https://learn.microsoft.com/de-de/entra/id-protection/concept-identity-protection-risks
Submission: On October 25 via api from DE — Scanned from DE
Form analysis 3 forms found in the DOM
Name: nav-bar-search-form — GET /de-de/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form" aria-label="Suche" action="/de-de/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input" data-test-id="site-search-input" class="autocomplete-input input input-sm
" type="search" name="terms" aria-expanded="false" aria-owns="ax-44-listbox" aria-controls="ax-44-listbox" aria-activedescendant="" aria-label="Suche" aria-describedby="ms--site-search-input-description" placeholder="Suche" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left" hidden="">
<span class="has-text-primary docon docon-"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-description"> Vorschläge werden während der Eingabe gefiltert </span>
</div>
<ul role="listbox" id="ax-44-listbox" data-test-id="site-search-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Vorschläge" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: nav-bar-search-form — GET /de-de/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form-desktop" aria-label="Suche" action="/de-de/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input-desktop" data-test-id="site-search-input-desktop" class="autocomplete-input input input-sm
control has-icons-left
" type="search" name="terms" aria-expanded="false" aria-owns="ax-45-listbox" aria-controls="ax-45-listbox" aria-activedescendant="" aria-label="Suche" aria-describedby="ms--site-search-input-desktop-description" placeholder="Suche"
pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-search"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-desktop-description"> Vorschläge werden während der Eingabe gefiltert </span>
</div>
<ul role="listbox" id="ax-45-listbox" data-test-id="site-search-input-desktop-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Vorschläge" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Suche" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-47">Suche</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-47" data-test-id="ax-47" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-48-listbox" aria-controls="ax-48-listbox" aria-activedescendant="" aria-describedby="ms--ax-47-description" placeholder="Nach Titel filtern" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-47-description"> Vorschläge werden während der Eingabe gefiltert </span>
</div>
<ul role="listbox" id="ax-48-listbox" data-test-id="ax-47-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Vorschläge" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Weiter zum Hauptinhalt
Wir verwenden optionale Cookies, um Ihre Erfahrung auf unseren Websites zu
verbessern, z. B. durch Verbindungen zu sozialen Medien, und um personalisierte
Werbung auf der Grundlage Ihrer Online-Aktivitäten anzuzeigen. Wenn Sie
optionale Cookies ablehnen, werden nur die Cookies verwendet, die zur
Bereitstellung der Dienste erforderlich sind. Sie können Ihre Auswahl ändern,
indem Sie am Ende der Seite auf „Cookies verwalten“ klicken.
Datenschutzerklärung Cookies von Drittanbietern
Annehmen Ablehnen Cookies verwalten
MICROSOFT IGNITE
Nov 14-17, 2023
Join us Nov 14-17, 2023 to explore the latest innovations, learn from experts,
level up your skillset, and expand your network.
Registrieren
Warnung schließen
Dieser Browser wird nicht mehr unterstützt.
Führen Sie ein Upgrade auf Microsoft Edge durch, um die neuesten Features,
Sicherheitsupdates und den technischen Support zu nutzen.
Microsoft Edge herunterladen Weitere Informationen zu Internet Explorer und
Microsoft Edge
Dokumentation
Globale Navigation
* Learn
* Dokumentation
* Training
* Anmeldeinformationen
* Q&A
* Codebeispiele
* Assessments
* Show
* Mehr
* Dokumentation
* Training
* Anmeldeinformationen
* Q&A
* Codebeispiele
* Assessments
* Show
Vorschläge werden während der Eingabe gefiltert
Vorschläge werden während der Eingabe gefiltert
Suche
Anmelden
* Profil
* Einstellungen
Abmelden
Microsoft Entra
* Azure Active Directory
* Entra-Berechtigungsverwaltung
* Verifizierte Entra-ID
* Microsoft-Dokumentation zur Sicherheit
* Mehr
* Azure Active Directory
* Entra-Berechtigungsverwaltung
* Verifizierte Entra-ID
* Microsoft-Dokumentation zur Sicherheit
1. Admin Center
Inhaltsverzeichnis Fokusmodus beenden
Warnung schließen
Dieser Inhalt ist in Ihrer Sprache nicht verfügbar. Hier finden Sie die
englische Version.
Suche
Vorschläge werden während der Eingabe gefiltert
* Microsoft Entra ID Protection Documentation
* Overview
* Concepts
* Microsoft Entra ID Protection dashboard
* What are risks?
* Risk-based access control policies
* User sign-in experience
* Securing workload identities
* Microsoft Entra ID Protection and B2B users
* How-to guides
* Deploy Microsoft Entra ID Protection
* Configure notifications
* Policy configuration
* Simulate risk detections
* Investigate and remediate
* Provide feedback on risk detections
* FAQs
* Reference
* Resources
PDF herunterladen
1. Learn
2. Concepts
1. Learn
2. Concepts
Auf Englisch lesen Hinzufügen
Inhaltsverzeichnis Auf Englisch lesen Hinzufügen Bearbeiten Drucken
Twitter LinkedIn Facebook E-Mail
Inhaltsverzeichnis
WHAT ARE RISK DETECTIONS?
* Artikel
* 23.10.2023
* 17 Mitwirkende
Feedback
IN DIESEM ARTIKEL
1. Risk types and detection
2. Premium detections
3. Nonpremium detections
4. Common questions
5. Next steps
Risk detections in Microsoft Entra ID Protection include any identified
suspicious actions related to user accounts in the directory. Risk detections
(both user and sign-in linked) contribute to the overall user risk score that is
found in the Risky Users report.
ID Protection provides organizations access to powerful resources to see and
respond quickly to these suspicious actions.
Hinweis
ID Protection generates risk detections only when the correct credentials are
used. If incorrect credentials are used on a sign-in, it does not represent risk
of credential compromise.
RISK TYPES AND DETECTION
Risk can be detected at the User and Sign-in level and two types of detection or
calculation Real-time and Offline. Some risks are considered premium available
to Microsoft Entra ID P2 customers only, while others are available to Free and
Microsoft Entra ID P1 customers.
A sign-in risk represents the probability that a given authentication request
isn't the authorized identity owner. Risky activity can be detected for a user
that isn't linked to a specific malicious sign-in but to the user itself.
Real-time detections may not show up in reporting for 5 to 10 minutes. Offline
detections may not show up in reporting for 48 hours.
Hinweis
Our system may detect that the risk event that contributed to the risk user risk
score was either:
* A false positive
* The user risk was remediated by policy by either:
* Completing multifactor authentication
* Secure password change.
Our system will dismiss the risk state and a risk detail of “AI confirmed
sign-in safe” will show and no longer contribute to the user’s overall risk.
SIGN-IN RISK DETECTIONS
Risk detection Detection type Type Atypical travel Offline Premium Anomalous
Token Offline Premium Token Issuer Anomaly Offline Premium Malware linked IP
address Offline Premium This detection has been deprecated. Suspicious browser
Offline Premium Unfamiliar sign-in properties Real-time Premium Malicious IP
address Offline Premium Suspicious inbox manipulation rules Offline Premium
Password spray Offline Premium Impossible travel Offline Premium New country
Offline Premium Activity from anonymous IP address Offline Premium Suspicious
inbox forwarding Offline Premium Mass Access to Sensitive Files Offline Premium
Verified threat actor IP Real-time Premium Additional risk detected Real-time or
Offline Nonpremium Anonymous IP address Real-time Nonpremium Admin confirmed
user compromised Offline Nonpremium Microsoft Entra threat intelligence
Real-time or Offline Nonpremium
USER RISK DETECTIONS
Risk detection Detection type Type Possible attempt to access Primary Refresh
Token (PRT) Offline Premium Anomalous user activity Offline Premium User
reported suspicious activity Offline Premium Additional risk detected Real-time
or Offline Nonpremium Leaked credentials Offline Nonpremium Microsoft Entra
threat intelligence Offline Nonpremium
PREMIUM DETECTIONS
The following premium detections are visible only to Microsoft Entra ID P2
customers.
PREMIUM SIGN-IN RISK DETECTIONS
ATYPICAL TRAVEL
Calculated offline. This risk detection type identifies two sign-ins originating
from geographically distant locations, where at least one of the locations may
also be atypical for the user, given past behavior. The algorithm takes into
account multiple factors including the time between the two sign-ins and the
time it would have taken for the user to travel from the first location to the
second. This risk may indicate that a different user is using the same
credentials.
The algorithm ignores obvious "false positives" contributing to the impossible
travel conditions, such as VPNs and locations regularly used by other users in
the organization. The system has an initial learning period of the earliest of
14 days or 10 logins, during which it learns a new user's sign-in behavior.
INVESTIGATING ATYPICAL TRAVEL DETECTIONS
1. If you're able to confirm the activity wasn't performed by a legitimate
user:
1. Recommended action: Mark the sign-in as compromised, and invoke a
password reset if not already performed by self-remediation. Block user
if attacker has access to reset password or perform MFA and reset
password.
2. If a user is known to use the IP address in the scope of their duties:
1. Recommended action: Dismiss the alert
3. If you're able to confirm that the user recently travelled to the
destination mentioned detailed in the alert:
1. Recommended action: Dismiss the alert.
4. If you're able to confirm that the IP address range is from a sanctioned
VPN.
1. Recommended action: Mark sign-in as safe and add the VPN IP address range
to named locations in Azure AD and Microsoft Defender for Cloud Apps.
ANOMALOUS TOKEN
Calculated offline. This detection indicates that there are abnormal
characteristics in the token such as an unusual token lifetime or a token that
is played from an unfamiliar location. This detection covers Session Tokens and
Refresh Tokens.
Hinweis
Anomalous token is tuned to incur more noise than other detections at the same
risk level. This tradeoff is chosen to increase the likelihood of detecting
replayed tokens that may otherwise go unnoticed. Because this is a high noise
detection, there's a higher than normal chance that some of the sessions flagged
by this detection are false positives. We recommend investigating the sessions
flagged by this detection in the context of other sign-ins from the user. If the
location, application, IP address, User Agent, or other characteristics are
unexpected for the user, the tenant admin should consider this risk as an
indicator of potential token replay.
INVESTIGATING ANOMALOUS TOKEN DETECTIONS
1. If you're able to confirm that the activity wasn't performed by a legitimate
user using a combination of risk alert, location, application, IP address,
User Agent, or other characteristics that are unexpected for the user:
1. Recommended action: Mark the sign-in as compromised, and invoke a
password reset if not already performed by self-remediation. Block the
user if an attacker has access to reset password or perform MFA and reset
password and revoke all tokens.
2. If you're able to confirm location, application, IP address, User Agent, or
other characteristics are expected for the user and there aren't other
indications of compromise:
1. Recommended action: Allow the user to self-remediate with a Conditional
Access risk policy or have an admin confirm sign-in as safe.
For further investigation of token based detections, see the article Token
tactics: How to prevent, detect, and respond to cloud token theft and the Token
theft investigation playbook.
TOKEN ISSUER ANOMALY
Calculated offline. This risk detection indicates the SAML token issuer for the
associated SAML token is potentially compromised. The claims included in the
token are unusual or match known attacker patterns.
INVESTIGATING TOKEN ISSUER ANOMALY DETECTIONS
1. If you're able to confirm that the activity wasn't performed by a legitimate
user:
1. Recommended action: Mark the sign-in as compromised, and invoke a
password reset if not already performed by self-remediation. Block the
user if an attacker has access to reset password or perform MFA and reset
password and revoke all tokens.
2. If the user confirmed this action was performed by them and there are no
other indicators of compromise:
1. Recommended action: Allow the user to self-remediate with a Conditional
Access risk policy or have an admin confirm sign-in as safe.
For further investigation of token based detections, see the article Token
tactics: How to prevent, detect, and respond to cloud token theft.
MALWARE LINKED IP ADDRESS (DEPRECATED)
Calculated offline. This risk detection type indicates sign-ins from IP
addresses infected with malware that is known to actively communicate with a bot
server. This detection matches the IP addresses of the user's device against IP
addresses that were in contact with a bot server while the bot server was
active. This detection has been deprecated. ID Protection no longer generates
new "Malware linked IP address" detections. Customers who currently have
"Malware linked IP address" detections in their tenant will still be able to
view, remediate, or dismiss them until the 90-day detection retention time is
reached.
SUSPICIOUS BROWSER
Calculated offline. Suspicious browser detection indicates anomalous behavior
based on suspicious sign-in activity across multiple tenants from different
countries in the same browser.
INVESTIGATING SUSPICIOUS BROWSER DETECTIONS
1. Browser is not commonly used by the user or activity within the browser does
not match the users normally behavior.
1. Recommended action: Mark the sign-in as compromised, and invoke a
password reset if not already performed by self-remediation. Block the
user if an attacker has access to reset password or perform MFA and reset
password and revoke all tokens.
UNFAMILIAR SIGN-IN PROPERTIES
Calculated in real-time. This risk detection type considers past sign-in history
to look for anomalous sign-ins. The system stores information about previous
sign-ins, and triggers a risk detection when a sign-in occurs with properties
that are unfamiliar to the user. These properties can include IP, ASN, location,
device, browser, and tenant IP subnet. Newly created users are in "learning
mode" period where the unfamiliar sign-in properties risk detection is turned
off while our algorithms learn the user's behavior. The learning mode duration
is dynamic and depends on how much time it takes the algorithm to gather enough
information about the user's sign-in patterns. The minimum duration is five
days. A user can go back into learning mode after a long period of inactivity.
We also run this detection for basic authentication (or legacy protocols).
Because these protocols don't have modern properties such as client ID, there's
limited telemetry to reduce false positives. We recommend our customers to move
to modern authentication.
Unfamiliar sign-in properties can be detected on both interactive and
non-interactive sign-ins. When this detection is detected on non-interactive
sign-ins, it deserves increased scrutiny due to the risk of token replay
attacks.
Selecting an unfamiliar sign-in properties risk allows you to see Additional
Info showing you more detail about why this risk triggered. The following
screenshot shows an example of these details.
MALICIOUS IP ADDRESS
Calculated offline. This detection indicates sign-in from a malicious IP
address. An IP address is considered malicious based on high failure rates
because of invalid credentials received from the IP address or other IP
reputation sources.
INVESTIGATING MALICIOUS IP ADDRESS DETECTIONS
1. If you're able to confirm that the activity wasn't performed by a legitimate
user:
1. Recommended action: Mark the sign-in as compromised, and invoke a
password reset if not already performed by self-remediation. Block the
user if an attacker has access to reset password or perform MFA and reset
password and revoke all tokens.
2. If a user is known to use the IP address in the scope of their duties:
1. Recommended action: Dismiss the alert
SUSPICIOUS INBOX MANIPULATION RULES
Calculated offline. This detection is discovered using information provided by
Microsoft Defender for Cloud Apps. This detection looks at your environment and
triggers alerts when suspicious rules that delete or move messages or folders
are set on a user's inbox. This detection may indicate: a user's account is
compromised, messages are being intentionally hidden, and the mailbox is being
used to distribute spam or malware in your organization.
PASSWORD SPRAY
Calculated offline. A password spray attack is where multiple usernames are
attacked using common passwords in a unified brute force manner to gain
unauthorized access. This risk detection is triggered when a password spray
attack has been successfully performed. For example, the attacker is
successfully authenticated, in the detected instance.
INVESTIGATING PASSWORD SPRAY DETECTIONS
1. If you're able to confirm that the activity wasn't performed by a legitimate
user:
1. Recommended action: Mark the sign-in as compromised, and invoke a
password reset if not already performed by self-remediation. Block the
user if an attacker has access to reset password or perform MFA and reset
password and revoke all tokens.
2. If a user is known to use the IP address in the scope of their duties:
1. Recommended action: Dismiss the alert
3. If you're able to confirm that the account has not been compromised and can
see no brute force or password spray indicators against the account.
1. Recommended action: Allow the user to self-remediate with a Conditional
Access risk policy or have an admin confirm sign-in as safe.
For further investigation of password spray risk detections, see the article
Guidance for identifying and investigating password spray attacks.
IMPOSSIBLE TRAVEL
Calculated offline. This detection is discovered using information provided by
Microsoft Defender for Cloud Apps. This detection identifies user activities (is
a single or multiple sessions) originating from geographically distant locations
within a time period shorter than the time it takes to travel from the first
location to the second. This risk may indicate that a different user is using
the same credentials.
NEW COUNTRY
Calculated offline. This detection is discovered using information provided by
Microsoft Defender for Cloud Apps. This detection considers past activity
locations to determine new and infrequent locations. The anomaly detection
engine stores information about previous locations used by users in the
organization.
ACTIVITY FROM ANONYMOUS IP ADDRESS
Calculated offline. This detection is discovered using information provided by
Microsoft Defender for Cloud Apps. This detection identifies that users were
active from an IP address that has been identified as an anonymous proxy IP
address.
SUSPICIOUS INBOX FORWARDING
Calculated offline. This detection is discovered using information provided by
Microsoft Defender for Cloud Apps. This detection looks for suspicious email
forwarding rules, for example, if a user created an inbox rule that forwards a
copy of all emails to an external address.
MASS ACCESS TO SENSITIVE FILES
Calculated offline. This detection is discovered using information provided by
Microsoft Defender for Cloud Apps. This detection looks at your environment and
triggers alerts when users access multiple files from Microsoft SharePoint or
Microsoft OneDrive. An alert is triggered only if the number of accessed files
is uncommon for the user and the files might contain sensitive information
VERIFIED THREAT ACTOR IP
Calculated in real-time. This risk detection type indicates sign-in activity
that is consistent with known IP addresses associated with nation state actors
or cyber crime groups, based on Microsoft Threat Intelligence Center (MSTIC).
PREMIUM USER RISK DETECTIONS
POSSIBLE ATTEMPT TO ACCESS PRIMARY REFRESH TOKEN (PRT)
Calculated offline. This risk detection type is discovered using information
provided by Microsoft Defender for Endpoint (MDE). A Primary Refresh Token (PRT)
is a key artifact of Microsoft Entra authentication on Windows 10, Windows
Server 2016, and later versions, iOS, and Android devices. A PRT is a JSON Web
Token (JWT) that's specially issued to Microsoft first-party token brokers to
enable single sign-on (SSO) across the applications used on those devices.
Attackers can attempt to access this resource to move laterally into an
organization or perform credential theft. This detection moves users to high
risk and only fires in organizations that have deployed MDE. This detection is
low-volume and is seen infrequently in most organizations. When this detection
appears it's high risk, and users should be remediated.
ANOMALOUS USER ACTIVITY
Calculated offline. This risk detection baselines normal administrative user
behavior in Microsoft Entra ID, and spots anomalous patterns of behavior like
suspicious changes to the directory. The detection is triggered against the
administrator making the change or the object that was changed.
USER REPORTED SUSPICIOUS ACTIVITY
Calculated offline. This risk detection is reported when a user denies a
multifactor authentication (MFA) prompt and reports it as suspicious activity.
An MFA prompt not initiated by a user may mean their credentials are
compromised.
NONPREMIUM DETECTIONS
Customers without Microsoft Entra ID P2 licenses receive detections titled
"additional risk detected" without the detailed information regarding the
detection that customers with P2 licenses do.
NONPREMIUM SIGN-IN RISK DETECTIONS
ADDITIONAL RISK DETECTED (SIGN-IN)
Calculated in real-time or offline. This detection indicates that one of the
premium detections was detected. Since the premium detections are visible only
to Microsoft Entra ID P2 customers, they're titled "additional risk detected"
for customers without Microsoft Entra ID P2 licenses.
ANONYMOUS IP ADDRESS
Calculated in real-time. This risk detection type indicates sign-ins from an
anonymous IP address (for example, Tor browser or anonymous VPN). These IP
addresses are typically used by actors who want to hide their sign-in
information (IP address, location, device, and so on) for potentially malicious
intent.
ADMIN CONFIRMED USER COMPROMISED
Calculated offline. This detection indicates an admin has selected 'Confirm user
compromised' in the Risky users UI or using riskyUsers API. To see which admin
has confirmed this user compromised, check the user's risk history (via UI or
API).
MICROSOFT ENTRA THREAT INTELLIGENCE (SIGN-IN)
Calculated in real-time or offline. This risk detection type indicates user
activity that is unusual for the user or consistent with known attack patterns.
This detection is based on Microsoft's internal and external threat intelligence
sources.
NONPREMIUM USER RISK DETECTIONS
ADDITIONAL RISK DETECTED (USER)
Calculated in real-time or offline. This detection indicates that one of the
premium detections was detected. Since the premium detections are visible only
to Microsoft Entra ID P2 customers, they're titled "additional risk detected"
for customers without Microsoft Entra ID P2 licenses.
LEAKED CREDENTIALS
Calculated offline. This risk detection type indicates that the user's valid
credentials have been leaked. When cybercriminals compromise valid passwords of
legitimate users, they often share these gathered credentials. This sharing is
typically done by posting publicly on the dark web, paste sites, or by trading
and selling the credentials on the black market. When the Microsoft leaked
credentials service acquires user credentials from the dark web, paste sites, or
other sources, they're checked against Microsoft Entra users' current valid
credentials to find valid matches. For more information about leaked
credentials, see Common questions.
INVESTIGATING LEAKED CREDENTIALS DETECTIONS
1. If this detection signal has alerted for a leaked credential for a user:
2. Recommended action: Mark the sign-in as compromised, and invoke a password
reset if not already performed by self-remediation. Block the user if an
attacker has access to reset password or perform MFA and reset password and
revoke all tokens.
MICROSOFT ENTRA THREAT INTELLIGENCE (USER)
Calculated offline. This risk detection type indicates user activity that is
unusual for the user or consistent with known attack patterns. This detection is
based on Microsoft's internal and external threat intelligence sources.
COMMON QUESTIONS
RISK LEVELS
ID Protection categorizes risk into three tiers: low, medium, and high. When
configuring ID Protection policies, you can also configure it to trigger upon No
risk level. No Risk means there's no active indication that the user's identity
has been compromised.
Microsoft doesn't provide specific details about how risk is calculated. Each
level of risk brings higher confidence that the user or sign-in is compromised.
For example, something like one instance of unfamiliar sign-in properties for a
user might not be as threatening as leaked credentials for another user.
PASSWORD HASH SYNCHRONIZATION
Risk detections like leaked credentials require the presence of password hashes
for detection to occur. For more information about password hash
synchronization, see the article, Implement password hash synchronization with
Microsoft Entra Connect Sync.
WHY ARE THERE RISK DETECTIONS GENERATED FOR DISABLED USER ACCOUNTS?
Disabled user accounts can be re-enabled. If the credentials of a disabled
account are compromised, and the account gets re-enabled, bad actors might use
those credentials to gain access. ID Protection generates risk detections for
suspicious activities against disabled user accounts to alert customers about
potential account compromise. If an account is no longer in use and wont be
re-enabled, customers should consider deleting it to prevent compromise. No risk
detections are generated for deleted accounts.
WHERE DOES MICROSOFT FIND LEAKED CREDENTIALS?
Microsoft finds leaked credentials in various places, including:
* Public paste sites such as pastebin.com and paste.ca where bad actors
typically post such material. This location is most bad actors' first stop on
their hunt to find stolen credentials.
* Law enforcement agencies.
* Other groups at Microsoft doing dark web research.
WHY AM I NOT SEEING ANY LEAKED CREDENTIALS?
Leaked credentials are processed anytime Microsoft finds a new, publicly
available batch. Because of the sensitive nature, the leaked credentials are
deleted shortly after processing. Only new leaked credentials found after you
enable password hash synchronization (PHS) are processed against your tenant.
Verifying against previously found credential pairs isn't done.
I HAVEN'T SEEN ANY LEAKED CREDENTIAL RISK EVENTS FOR QUITE SOME TIME
If you haven't seen any leaked credential risk events, it is because of the
following reasons:
* You don't have PHS enabled for your tenant.
* Microsoft has not found any leaked credential pairs that match your users.
HOW OFTEN DOES MICROSOFT PROCESS NEW CREDENTIALS?
Credentials are processed immediately after they have been found, normally in
multiple batches per day.
LOCATIONS
Location in risk detections is determined using IP address lookup.
NEXT STEPS
* Policies available to mitigate risks
* Investigate risk
* Remediate and unblock users
* Security overview
--------------------------------------------------------------------------------
ZUSÄTZLICHE RESSOURCEN
--------------------------------------------------------------------------------
Dokumentation
* Untersuchen von Risiken in Microsoft Entra ID Protection - Microsoft Entra
Hier erfahren Sie, wie Sie Risikobenutzer*innen, Erkennungen und Anmeldungen
in Microsoft Entra ID Protection untersuchen.
* Simulieren von Risikoerkennungen in Microsoft Entra ID Protection - Microsoft
Entra
Erfahren Sie, wie Sie Risikoerkennungen in Identity Protection simulieren.
* Übermitteln von Risikofeedback in Microsoft Entra ID Protection - Microsoft
Entra
Erfahren Sie, wie und warum Sie Feedback zu Identity
Protection-Risikoerkennungen senden sollten.
* Häufig gestellte Fragen zum Identitätsschutz in Microsoft Entra ID -
Microsoft Entra
Häufig gestellte Fragen zum Schutz in Microsoft Entra ID
* Benachrichtigungen zu Microsoft Entra ID-Protection - Microsoft Entra
Erfahren Sie, wie Benachrichtigungen Ihre Untersuchungsaktivitäten
unterstützen.
* Azure AD Identity Protection – Risikobasierte Zugriffsrichtlinien - Microsoft
Entra
Identifizieren von risikobasierten Richtlinien für bedingten Zugriff
* Planen einer Microsoft Entra ID Protection-Bereitstellung - Microsoft Entra
Bereitstellen von Microsoft Entra ID Protection
* Risikorichtlinien – Azure Active Directory Identity Protection - Microsoft
Entra
Aktivieren und Konfigurieren von Risikorichtlinien in Azure Active Directory
Identity Protection
5 weitere anzeigen
--------------------------------------------------------------------------------
Training
Modul
Verwalten von Azure AD Identity Protection - Training
Das Schützen der Identität eines Benutzers durch Überwachen seiner Nutzungs- und
Anmeldungsmuster gewährleistet eine sichere Cloudlösung. Erfahren Sie, wie Sie
Azure AD Identity Protection entwerfen und implementieren.
Deutsch
Design
* Hell
* Dunkel
* Hoher Kontrast
* Cookies verwalten
* Frühere Versionen
* Blog
* Mitwirken
* Datenschutz
* Nutzungsbedingungen
* Impressum
* Marken
* © Microsoft 2023
ZUSÄTZLICHE RESSOURCEN
--------------------------------------------------------------------------------
Training
Modul
Verwalten von Azure AD Identity Protection - Training
Das Schützen der Identität eines Benutzers durch Überwachen seiner Nutzungs- und
Anmeldungsmuster gewährleistet eine sichere Cloudlösung. Erfahren Sie, wie Sie
Azure AD Identity Protection entwerfen und implementieren.
--------------------------------------------------------------------------------
Dokumentation
* Untersuchen von Risiken in Microsoft Entra ID Protection - Microsoft Entra
Hier erfahren Sie, wie Sie Risikobenutzer*innen, Erkennungen und Anmeldungen
in Microsoft Entra ID Protection untersuchen.
* Simulieren von Risikoerkennungen in Microsoft Entra ID Protection - Microsoft
Entra
Erfahren Sie, wie Sie Risikoerkennungen in Identity Protection simulieren.
* Übermitteln von Risikofeedback in Microsoft Entra ID Protection - Microsoft
Entra
Erfahren Sie, wie und warum Sie Feedback zu Identity
Protection-Risikoerkennungen senden sollten.
* Häufig gestellte Fragen zum Identitätsschutz in Microsoft Entra ID -
Microsoft Entra
Häufig gestellte Fragen zum Schutz in Microsoft Entra ID
* Benachrichtigungen zu Microsoft Entra ID-Protection - Microsoft Entra
Erfahren Sie, wie Benachrichtigungen Ihre Untersuchungsaktivitäten
unterstützen.
* Azure AD Identity Protection – Risikobasierte Zugriffsrichtlinien - Microsoft
Entra
Identifizieren von risikobasierten Richtlinien für bedingten Zugriff
* Planen einer Microsoft Entra ID Protection-Bereitstellung - Microsoft Entra
Bereitstellen von Microsoft Entra ID Protection
* Risikorichtlinien – Azure Active Directory Identity Protection - Microsoft
Entra
Aktivieren und Konfigurieren von Risikorichtlinien in Azure Active Directory
Identity Protection
5 weitere anzeigen
IN DIESEM ARTIKEL
Deutsch
Design
* Hell
* Dunkel
* Hoher Kontrast
* Cookies verwalten
* Frühere Versionen
* Blog
* Mitwirken
* Datenschutz
* Nutzungsbedingungen
* Impressum
* Marken
* © Microsoft 2023