Risk Detections

Risk Detections Overview:

Microsoft Entra ID Protection enables organizations to detect, investigate, and respond to suspicious activities in their Azure environment by identifying potential identity-based risks. These risks are categorized into low, medium, and high levels, based on how likely it is that a user's credentials have been compromised. Risk detections can be linked to specific users or sign-in events, impacting the overall risk score and guiding security actions.

The system uses real-time and offline detection methods to identify threats, allowing for swift responses to potential compromises. Based on the detected risk level, organizations can implement Conditional Access policies that require actions like multifactor authentication (MFA) or password resets to mitigate threats. Low-risk detections persist for six months, while medium and high risks remain until addressed.

Risk detections mapped to riskEventType

Risk detection	Detection type	Type	riskEventType
Sign-in risk detections
Activity from anonymous IP address	Offline	Premium	riskyIPAddress
Additional risk detected (sign-in)	Real-time or Offline	Nonpremium	generic = Premium detection classification for non-P2 tenants
Admin confirmed user compromised	Offline	Nonpremium	adminConfirmedUserCompromised
Anomalous Token	Real-time or Offline	Premium	anomalousToken
Anonymous IP address	Real-time	Nonpremium	anonymizedIPAddress
Atypical travel	Offline	Premium	unlikelyTravel
Impossible travel	Offline	Premium	mcasImpossibleTravel
Malicious IP address	Offline	Premium	maliciousIPAddress
Mass Access to Sensitive Files	Offline	Premium	mcasFinSuspiciousFileAccess
Microsoft Entra threat intelligence (sign-in)	Real-time or Offline	Nonpremium	investigationsThreatIntelligence
New country	Offline	Premium	newCountry
Password spray	Offline	Premium	passwordSpray
Suspicious browser	Offline	Premium	suspiciousBrowser
Suspicious inbox forwarding	Offline	Premium	suspiciousInboxForwarding
Suspicious inbox manipulation rules	Offline	Premium	mcasSuspiciousInboxManipulationRules
Token issuer anomaly	Offline	Premium	tokenIssuerAnomaly
Unfamiliar sign-in properties	Real-time	Premium	unfamiliarFeatures
Verified threat actor IP	Real-time	Premium	nationStateIP
User risk detections
Additional risk detected (user)	Real-time or Offline	Nonpremium	generic = Premium detection classification for non-P2 tenants
Anomalous user activity	Offline	Premium	anomalousUserActivity
Attacker in the Middle	Offline	Premium	attackerinTheMiddle
Leaked credentials	Offline	Nonpremium	leakedCredentials
Microsoft Entra threat intelligence (user)	Real-time or Offline	Nonpremium	investigationsThreatIntelligence
Possible attempt to access Primary Refresh Token (PRT)	Offline	Premium	attemptedPrtAccess
Suspicious API Traffic	Offline	Premium	suspiciousAPITraffic
Suspicious sending patterns	Offline	Premium	suspiciousSendingPatterns
User reported suspicious activity	Offline	Premium	userReportedSuspiciousActivity

Risk detection

Detection type

Type

riskEventType

Sign-in risk detections

Activity from anonymous IP address

Offline

Premium

riskyIPAddress

Additional risk detected (sign-in)

Real-time or Offline

Nonpremium