Users flagged for risk report in the Azure portal

Azure Active Directory (Azure AD) detects suspicious actions related to your user accounts. For each detected action, a record called a risk detection is created.

You can access the security reports from the Azure portal by selecting the Azure Active Directory blade and then navigating to the Security section.

The detected risk detections are used to calculate:

  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

To learn how to configure the policies that trigger these risk detections, see How to configure the user risk policy.

Risky Sign-ins

What Azure AD license do you need to access the users at risk report?

All editions of Azure Active Directory provide you with users flagged for risk reports. However, the level of report granularity varies between the editions:

  • In the Azure Active Directory Free and Basic editions, you get a list of users flagged for risk.

  • In addition, the Azure Active Directory Premium 1 edition allows you to examine some of the underlying risk detections that have been detected for each report.

  • The Azure Active Directory Premium 2 edition provides you with the most detailed information about all underlying risk detections and it also enables you to configure security policies that automatically respond to configured risk levels.

Users at risk report for Azure AD free and basic editions

The users flagged for risk report in the Azure AD free and basic editions provides you with a list of user accounts that may have been compromised.

Risky Sign-ins

Selecting a user provides sign-in information. For users that are at risk, you can review the user’s sign-in history and reset the password if necessary.

This dialog provides you with an option to:

  • Download the report

  • Search users

    Risky Sign-ins

For more detailed information, you need a premium license.

Users at risk report for Azure AD premium editions

The users flagged for risk report in the Azure AD premium editions provides you with:

Risky Sign-ins

When you select a user, you get a detailed report view for this user that enables you to:

  • Open the All sign-ins view

  • Reset the user's password

  • Dismiss all events

  • Investigate reported risk detections for the user.

Risky Sign-ins

To investigate a risk detection, select one from the list to open the Details blade for this risk detection. On the Details blade, you have the option to either manually close a risk detection or reactivate a manually closed risk detection.

Risky Sign-ins

Next steps