How To: Give risk feedback in Microsoft Entra ID Protection
Microsoft Entra ID Protection allows you to give feedback on its risk assessment. The following document lists the scenarios where you would like to give feedback on Microsoft Entra ID Protection's risk assessment and how we incorporate it.
Your feedback helps us optimize detections in the future, improve their accuracy, and reduce false positives.
What is a detection?
An ID Protection detection is an indicator of suspicious activity from an identity risk perspective. These suspicious activities are called risk detections. These identity-based detections can be based on heuristics, machine learning or can come from partner products. These detections are used to determine sign-in risk and user risk,
- User risk represents the probability an identity is compromised.
- Sign-in risk represents the probability a sign-in is compromised (for example, the identity owner didn't authorize the sign-in).
Why should I give risk feedback to risk assessments?
There are several reasons why you should give risk feedback:
- You found Microsoft Entra ID Protection user or sign-in risk assessment incorrect. For example, a sign-in shown in Risky sign-ins report was benign and all the detections on that sign-in were false positives.
- You validated that Microsoft Entra ID Protection user or sign-in risk assessment was correct. For example, a sign-in shown in Risky sign-ins report was indeed malicious and you want Microsoft Entra ID to know that all the detections on that sign-in were true positives.
- You remediated the risk on that user outside of Microsoft Entra ID Protection and you want the user's risk level to be updated.
How does Microsoft use my risk feedback?
Microsoft uses your feedback to update the risk of the underlying user and/or sign-in and the accuracy of these events. This feedback helps secure the end user. For example, once you confirm a sign-in is compromised, We immediately increase the user's risk and sign-in's aggregate risk (not real-time risk) to high. If this user is included in your user risk policy to force high risk users to securely reset their passwords, they're able to automatically remediate the next time they sign-in.
Administrators can take action on risky sign-in events and choose to:
- Confirm sign-in compromised – This action confirms the sign-in is a true positive. The sign-in is considered risky until remediation steps are taken.
- Confirm sign-in safe – This action confirms the sign-in is a false positive. Similar sign-ins shouldn't be considered risky in the future.
- Dismiss sign-in risk – This action is used for a benign true positive. This sign-in risk we detected is real, but not malicious, like those from a known penetration test or known activity generated by an approved application. Similar sign-ins should continue being evaluated for risk going forward.
Taking action on the user level applies to all the detections currently associated with that user. Administrators can take action on users and choose to:
- Reset password - This action revokes user's current sessions.
- Confirm user compromised - This action is taken on a true positive. ID Protection sets the user risk to high and adds a new detection, Admin confirmed user compromised. The user is considered risky until remediation steps are taken.
- Confirm user safe - This action is taken on a false positive. Doing so removes risk and detections on this user and places it in learning mode to relearn the usage properties. You might use this option to mark false positives.
- Dismiss user risk - This action is taken on a benign positive user risk. This user risk we detected is real, but not malicious, like those from a known penetration test. Similar users should continue being evaluated for risk going forward.
- Block user - This action blocks a user from signing in if attacker has access to password or ability to perform MFA.
- Investigate with Microsoft 365 Defender - This action takes administrators to the Microsoft Defender portal to allow an administrator to investigate further.
Feedback on risk detections in ID Protection is processed offline and might take some time to update. The risk processing state column provides the current state of feedback processing.