What is Identity Protection?

Identity Protection is a tool that allows organizations to accomplish three key tasks:

  • Automate the detection and remediation of identity-based risks.
  • Investigate risks using data in the portal.
  • Export risk detection data to third-party utilities for further analysis.

Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.

The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization's enforced policies.

Why is automation important?

In his blog post in October of 2018 Alex Weinert, who leads Microsoft's Identity Security and Protection team, explains why automation is so important when dealing with the volume of events:

Each day, our machine learning and heuristic systems provide risk scores for 18 billion login attempts for over 800 million distinct accounts, 300 million of which are discernibly done by adversaries (entities like: criminal actors, hackers).

At Ignite last year, I spoke about the top 3 attacks on our identity systems. Here is the recent volume of these attacks

  • Breach replay: 4.6BN attacks detected in May 2018
  • Password spray: 350k in April 2018
  • Phishing: This is hard to quantify exactly, but we saw 23M risk events in March 2018, many of which are phish related

Risk detection and remediation

Identity Protection identifies risks in the following classifications:

Risk detection type Description
Atypical travel Sign in from an atypical location based on the user's recent sign-ins.
Anonymous IP address Sign in from an anonymous IP address (for example: Tor browser, anonymizer VPNs).
Unfamiliar sign-in properties Sign in with properties we've not seen recently for the given user.
Malware linked IP address Sign in from a malware linked IP address.
Leaked Credentials Indicates that the user's valid credentials have been leaked.
Password spray Indicates that multiple usernames are being attacked using common passwords in a unified, brute-force manner.
Azure AD threat intelligence Microsoft's internal and external threat intelligence sources have identified a known attack pattern.

More detail on these risks and how/when they are calculated can be found in the article, What is risk.

The risk signals can trigger remediation efforts such as requiring users to: perform Azure Multi-Factor Authentication, reset their password using self-service password reset, or blocking until an administrator takes action.

Risk investigation

Administrators can review detections and take manual action on them if needed. There are three key reports that administrators use for investigations in Identity Protection:

  • Risky users
  • Risky sign-ins
  • Risk detections

More information can be found in the article, How To: Investigate risk.

Risk levels

Identity Protection categorizes risk into three tiers: low, medium, and high.

While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.

Exporting risk data

Data from Identity Protection can be exported to other tools for archive and further investigation and correlation. The Microsoft Graph based APIs allow organizations to collect this data for further processing in a tool such as their SIEM. Information about how to access the Identity Protection API can be found in the article, Get started with Azure Active Directory Identity Protection and Microsoft Graph

Information about integrating Identity Protection information with Azure Sentinel can be found in the article, Connect data from Azure AD Identity Protection.


Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access.

Role Can do Can't do
Global administrator Full access to Identity Protection
Security administrator Full access to Identity Protection Reset password for a user
Security operator View all Identity Protection reports and Overview blade

Dismiss user risk, confirm safe sign-in, confirm compromise
Configure or change policies

Reset password for a user

Configure alerts
Security reader View all Identity Protection reports and Overview blade Configure or change policies

Reset password for a user

Configure alerts

Give feedback on detections

Currently, the security operator role cannot access the Risky sign-ins report.

Conditional Access administrators can also create policies that factor in sign-in risk as a condition. Find more information in the article Conditional Access: Conditions.

License requirements

Using this feature requires an Azure AD Premium P2 license. To find the right license for your requirements, seeĀ Comparing generally available features of the Free, Office 365 Apps, and Premium editions.

Capability Details Azure AD Free / Microsoft 365 Apps Azure AD Premium P1 Azure AD Premium P2
Risk policies User risk policy (via Identity Protection) No No Yes
Risk policies Sign-in risk policy (via Identity Protection or Conditional Access) No No Yes
Security reports Overview No No Yes
Security reports Risky users Limited Information Limited Information Full access
Security reports Risky sign-ins Limited Information Limited Information Full access
Security reports Risk detections No Limited Information Full access
Notifications Users at risk detected alerts No No Yes
Notifications Weekly digest No No Yes
MFA registration policy No No Yes

More information on these rich reports can be found in the article, How To: Investigate risk.

Next steps