Investigate users in Microsoft 365 security center

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

Part of your incident investigation can include user accounts. Start with the Users tab for an incident from Incidents & alerts > incident > Users.

Example of a Users page for an incident

To get a quick summary of a user account for the incident, select the check mark next to the user account name. Here's an example.

Example of the user account summary pane for an incident in the Microsoft 365 security center

Note

The User page shows Azure Active Directory (AD) organization as well as groups, helping you understand the groups and permissions associated with a user.

In this fly-out page, you can review user threat information, including any current incidents, active alerts, and risk level as well as user exposure, accounts, devices, and more.

In addition, you can take action directly in the Microsoft 365 security center to address a compromised user, confirming the user is compromised or requiring them to sign in again.

From here, you can select Go to user page to see the details of a user account. Here's an example.

Example of the user account page for an incident in the Microsoft 365 security center

You can also see this page by selecting the name of the user account from the list on the Users page.

The Microsoft 365 security center user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security (depending on what licenses you have).

This page shows information specific to the security risk of a user account. This includes a score that helps assess risk and recent events and alerts that contributed to the overall risk of the user.

From this page, you can do these additional actions:

  • Mark the user account as compromised
  • Require the user to sign in again
  • Suspend the user account
  • See the Azure Active Directory (Azure AD) user account settings
  • View the files owned by the user account
  • View files shared with this user.

Here's an example.

Example of the actions on a user account for an incident in the Microsoft 365 security center

Next steps

As needed for in-process incidents, continue your investigation.

See also