Investigate risk with ID Protection in Microsoft Entra External ID

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

Microsoft Entra ID Protection provides ongoing risk detection for your external tenant. It allows organizations to discover, investigate, and remediate identity-based risks. ID Protection comes with risk reports that can be used to investigate identity risks in external tenants. In this article, you learn how to investigate and mitigate risks.

ID Protection reporting

ID Protection provides two reports. The Risky users report is where administrators can find which users are at risk and details about detections. The risk detections report gives information about each risk detection. This report includes the risk type, other risks triggered at the same time, the location of the sign-in attempt, and more.

Each report launches with a list of all detections for the period shown at the top of the report. Reports can be filtered using the filters across the top of the report. Administrators can choose to download the data, or use MS Graph API and Microsoft Graph PowerShell SDK to continuously export the data.

Service limitations and considerations

Consider the following points when using ID Protection:

  • ID Protection is not available in trial tenants.
  • ID Protection is on by default.
  • ID Protection is available for both local and social identities, such as Google, Facebook or Apple. Detection is limited because the external identity provider manages the social account credentials.
  • Currently in Microsoft Entra external tenants, a subset of the Microsoft Entra ID Protection risk detections is available. Microsoft Entra External ID supports the following risk detections:
Risk detection type Description
Atypical travel Sign-in from an atypical location based on the user's recent sign-ins.
Anonymous IP address Sign-in from an anonymous IP address (for example: Tor browser, anonymizer VPNs).
Malware linked IP address Sign-in from a malware linked IP address.
Unfamiliar sign-in properties Sign-in with properties we haven't seen recently for the given user.
Admin confirmed user compromised An admin has indicated that a user was compromised.
Password spray Sign-in through a password spray attack.
Microsoft Entra threat intelligence Microsoft's internal and external threat intelligence sources have identified a known attack pattern.

Investigate risky users

With the information provided by the Risky users report, administrators can find:

  • The Risk state, showing which users are At risk, have had risk Remediated, or have had risk Dismissed
  • Details about detections
  • History of all risky sign-ins
  • Risk history

Administrators can then choose to take action on these events. Administrators can choose to:

  • Reset the user password
  • Confirm user compromise
  • Dismiss user risk
  • Block user from signing in
  • Investigate further using Azure ATP

An administrator can choose to dismiss a user's risk in the Microsoft Entra admin center or programmatically through the Microsoft Graph API Dismiss User Risk. Administrator privileges are required to dismiss a user's risk. The risky user or an administrator working on the user's behalf can remediate the risk, for example through a password reset.

  1. Sign in to the Microsoft Entra admin center.

  2. Make sure you're using the directory that contains your Microsoft Entra external tenant: Select the Settings icon in the toolbar and find your external tenant from the Directories + subscriptions menu. If it's not the current directory, select Switch.

  3. Browse to Protection > Identity Protection.

  4. Under Report, select Risky users.

    Selecting individual entries expands a details window below the detections. The details view allows administrators to investigate and perform actions on each detection.

Risk detections report

The Risk detections report contains filterable data for up to the past 90 days (three months).

With the information provided by the risk detections report, administrators can find:

  • Information about each risk detection including type.
  • Other risks triggered at the same time.
  • Sign-in attempt location.

Administrators can then choose to return to the user's risk or sign-ins report to take actions based on information gathered.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Protection > Identity Protection.

  3. Under Report, select Risk detections.