Respond to identity threats using risky user summarization

Microsoft Entra ID Protection applies the capabilities of Copilot in Microsoft Entra to summarize a user's risk level, provide insights relevant to the incident at hand, and provide recommendations for rapid mitigation. Identity risk investigation is a crucial step to defend an organization. Copilot in Microsoft Entra helps reduce the time to resolution by providing IT admins and security operations center (SOC) analysts the right context to investigate and remediate identity risk and identity-based incidents. Risky user summarization provides admins and responders quick access to the most critical information in context to aid their investigation.

Respond to identity threats quickly:

  • Risk summary: summarize in natural language why the user risk level was elevated.
  • Recommendations: get guidance on how to mitigate and respond to these types of attacks, with quick links to help and documentation.

This article describes how to access the risky user summary capability of Microsoft Entra ID Protection and Copilot in Microsoft Entra. Using this feature requires Microsoft Entra ID P2 licenses.

Investigate risky users

To view and investigate a risky user:

  1. Sign in to the Microsoft Entra admin center as at least a Security Reader.

  2. Navigate to Protection > Identity Protection and then to the Risky users report.

  3. Select a user from the risky users report.

    Screenshot that shows the ID Protection risky users report.

  4. In the Risky User Details window, information appears in Summarize.

    Screenshot that shows the ID Protection risky user summarization details.

The risky user summary contains three sections:

  • Summary by Copilot: summarizes in natural language why ID Protection flagged the user for risk.
  • What to do: lists the next steps to investigate this incident and prevent future incidents.
  • Help and documentation: lists resources for help and documentation.

In this example, suggested remediations are to:

Suggested help and documentation are:

Next steps