Entra ID: User and Sign-in Risk

A user and a sign-in are classified as risky by Microsoft Entra ID Protection based on built‑in risk detections that analyze sign‑in behavior and account activity.

When a sign-in is classified as risky/high risk

A sign-in becomes a risky sign-in when one or more risk detections are reported for that specific sign-in. During each sign-in, ID Protection evaluates real-time detections and assigns a sign-in session risk level that reflects how likely that sign-in is compromised. Examples of behaviors that can trigger sign-in risk include:

  • Sign-ins from anonymous IP addresses
  • Sign-ins from IP addresses with suspicious activity
  • Sign-ins from unfamiliar locations
  • Impossible travel to atypical locations
  • Sign-ins from infected devices
  • Users with leaked credentials attempting to sign in

If any such detection fires for a sign-in, it appears in the Risky sign-ins report with associated details such as:

  • Application accessed
  • Conditional Access policies applied
  • MFA details
  • Device, application, and location information
  • Risk state, risk level, and detection source

ID Protection evaluates risk for both interactive and non‑interactive sign-ins, and the Risky sign-ins report shows both.

When a user is classified as a risky/high risk

risky user is reported when either (or both) of the following are true:

  1. The user has one or more risky sign-ins.
  2. One or more risk detections are reported directly on the account (for example, leaked credentials) even outside a specific sign-in.

The user’s user risk level (Low/Medium/High) is derived from the aggregate of these detections and their severity. A user is effectively a high‑risk user when ID Protection assesses that the likelihood the identity is compromised is high based on:

  • The presence and type of account‑level risks (for example, leaked credentials)
  • The number and severity of associated risky sign-ins
  • Any admin actions such as Confirm user compromised, which explicitly sets user risk to High and adds an “Admin confirmed user compromised” detection. The user remains risky until remediation (for example, secure password reset) is completed.

In the Risky users report, each risky user entry reflects this aggregated view of risk across all detections and sign-ins tied to that identity.

How risk level is used by policies

  • User risk policy uses the user’s risk level (including High) to trigger actions such as forcing a secure password change.
  • Sign-in risk policy uses the sign-in risk level to trigger actions such as requiring multi-factor authentication (MFA).