Respond to identity threats using risky user summarization
Microsoft Entra ID Protection applies the capabilities of Copilot in Microsoft Entra to summarize a user's risk level, provide insights relevant to the incident at hand, and provide recommendations for rapid mitigation. Identity risk investigation is a crucial step to defend an organization. Copilot in Microsoft Entra helps reduce the time to resolution by providing IT admins and security operations center (SOC) analysts the right context to investigate and remediate identity risk and identity-based incidents. Risky user summarization provides admins and responders quick access to the most critical information in context to aid their investigation.
Respond to identity threats quickly:
- Risk summary: summarize in natural language why the user risk level was elevated.
- Recommendations: get guidance on how to mitigate and respond to these types of attacks, with quick links to help and documentation.
This article describes how to access the risky user summary capability of Microsoft Entra ID Protection and Copilot in Microsoft Entra. Using this feature requires Microsoft Entra ID P2 licenses.
Investigate risky users
To view and investigate a risky user:
Sign in to the Microsoft Entra admin center as at least a Security Reader.
Navigate to Protection > Identity Protection and then to the Risky users report.
Select a user from the risky users report.
In the Risky User Details window, information appears in Summarize.
The risky user summary contains three sections:
- Summary by Copilot: summarizes in natural language why ID Protection flagged the user for risk.
- What to do: lists the next steps to investigate this incident and prevent future incidents.
- Help and documentation: lists resources for help and documentation.
In this example, suggested remediations are to:
- Create sign-in risk and user risk based conditional access policies.
Suggested help and documentation are:
Next steps
- Learn more about risky users.