L7. Entra ID Protection: Risk Policies and Remediation
Video generating
Check back soon for the video lesson on Entra ID Protection: Risk Policies and Remediation
Master Entra ID Protection for the SC-300: configure user risk and sign-in risk policies, understand risk detection types, set up automated remediation, investigate risky users, and integrate risk signals with Conditional Access for adaptive access control.
What Is Entra ID Protection?
Entra ID Protection uses machine learning to detect identity-based risks in real time. It evaluates every sign-in and user behavior to assign risk levels, then feeds those signals into Conditional Access policies for automated response. Licensing requirement: Entra ID P2 is required for all Identity Protection features.
Risk Types
Sign-In Risk
Detects anomalies during the authentication process itself:| Detection | Type | Description |
|---|---|---|
| Anonymous IP address | Real-time | Sign-in from Tor, VPN, or anonymizing proxy |
| Atypical travel | Offline | Two sign-ins from distant locations in impossible timeframe |
| Malware-linked IP | Offline | Sign-in from IP associated with bot activity |
| Unfamiliar sign-in properties | Real-time | Properties not seen for the user before |
| Token issuer anomaly | Real-time | Abnormal SAML token issuer detected |
| Password spray | Offline | Multiple accounts targeted with common passwords |
User Risk
Represents the likelihood that a user's identity has been compromised:| Detection | Type | Description |
|---|---|---|
| Leaked credentials | Offline | User credentials found in public data breach |
| Threat intelligence | Offline | Microsoft threat intel indicates compromise |
| Anomalous user activity | Offline | Unusual pattern of user behavior |
Risk Levels
Both sign-in risk and user risk use three levels:
- Low: Minor anomaly detected
- Medium: Moderate confidence of compromise
- High: Strong confidence that the identity is compromised
Configuring Risk Policies via Conditional Access
The recommended approach is to create Conditional Access policies that use risk as a condition: User risk policy example:
- Condition: User risk = High
- Grant: Allow access, require password change
- This forces compromised users to reset their password
- Condition: Sign-in risk = Medium or High
- Grant: Allow access, require MFA
- This challenges suspicious sign-ins with an additional factor
Investigating Risky Users
The Risky users report shows all users with an active risk level. From this report you can:
- View the user's risk history and detections
- Confirm the user as compromised (sets risk to High)
- Dismiss the user's risk (clears the risk level)
- Reset the user's password
Remediation
Risk is automatically remediated when the user completes the required action:
- Password change: Remediates user risk (leaked credentials)
- MFA completion: Remediates sign-in risk (suspicious sign-in)
- Admin dismissal: Manually clears risk after investigation
Risk that is not remediated persists and continues to affect the user's access through Conditional Access policies.
- ✓Entra ID Protection requires P2 licensing for all features including risk detection and risk policies
- ✓Real-time detections trigger during sign-in; offline detections are processed in batch within hours
- ✓High user risk should require password change to remediate leaked credentials
- ✓High sign-in risk should require MFA to verify the user identity without forcing a password reset
- ✓Confirming a user as compromised sets their risk to High; dismissing risk clears it after false positive investigation
- ✓Risk is automatically remediated when the user completes the required action (password change or MFA)
1. A user is flagged with high user risk due to leaked credentials. What remediation action should the Conditional Access policy require?
2. What is the difference between real-time and offline risk detections?
3. An administrator reviews the Risky users report and determines a detection was a false positive. What action should they take?