Azure Active Directory Identity Protection FAQ
This article includes answers to frequently asked questions about Azure Active Directory (Azure AD) Identity Protection. For more information, see Azure Active Directory Identity Protection.
Why do some risk events have “Closed (system)” status?
A: These are events that Azure Active Directory Identity Protection detected and later closed because the events were no longer considered risky. These events do not count towards the user’s risk level.
Do I need to be a global admin to use Identity Protection in the Azure portal?
A: No. You can either be a Security Reader, a Security Admin or a Global Admin to use Identity Protection.
How do I get Identity Protection?
A: See Getting started with Azure Active Directory Premium for an answer to this question.
How can I sort users in "Users flagged for risk"?
A: Download the users flagged for risk report by clicking on the Download on the top of the Users flagged for risk page. You can then sort the downloaded data based on available fields, including Last Updated (UTC).