In today’s digital world, protecting our identity is crucial. The threats we face online are becoming increasingly sophisticated and refined, making the security of our identity a central challenge. Microsoft Entra ID Protection offers a robust solution to address these challenges.
Microsoft Entra ID Protection leverages advanced algorithms and machine learning to detect, analyze, and remediate identity risks in real time. This technology enables proactive threat response and ensures the security of user accounts. By automatically detecting, investigating, and eliminating identity-based risks, Microsoft Entra ID Protection significantly contributes to reducing security incidents.
This blog post outlines the key steps for successfully implementing Microsoft Entra ID Protection. It demonstrates how this solution can be used to enhance the security of identities while maintaining user-friendliness, from configuring detection policies to automatically remediating identified threats.
Prerequisites and Licensing
Licenses
The Microsoft Entra ID Protection feature requires a Microsoft Entra ID P2 or Microsoft Entra Suite license: Microsoft Entra Plans and Pricing | Microsoft Security
Roles
The following roles are designated for the configuration and management of Microsoft Entra ID Protection, based on the principle of least privilege:
Role | Permission |
Security Administrator | Full access to Microsoft Entra ID Protection |
Security Operator | View all Microsoft Entra ID Protection reports Dismiss user risk Confirm safe sign-in Confirm compromise |
Security Reader | View all Microsoft Entra ID Protection reports |
Global Reader | Read-only access to Microsoft Entra ID Protection |
User Administrator | Reset user passwords |
Conditional Access Administrator | Create and manage Microsoft Entra Conditional Access for Microsoft Entra ID Protection |
Detailed information about the roles can be found here:
What is Microsoft Entra ID Protection? – Microsoft Entra ID Protection | Microsoft Learn
Multi-Factor Authentication (MFA)
For automated risk remediation, multi-factor authentication is recommended. Users can set up multi-factor authentication using the following guide: User guide: Enabling multi-factor authentication – cloudcoffee.ch
Review Existing Reports
Before starting the configuration, review the existing risk detection reports. A comprehensive explanation of the information in these reports and the resulting actions can be found in the following article: Investigate risk Microsoft Entra ID Protection – Microsoft Entra ID Protection | Microsoft Learn
The reports can be found in the Microsoft Entra admin center (https://entra.microsoft.com) under Protection > Identity Protection > Report
Create Microsoft Entra Conditional Access Policies
The behavior for sign-in risk and user risk is defined through the configuration of Microsoft Entra Conditional Access policies. Depending on your security requirements, it may be useful to create separate Microsoft Entra Conditional Access policies for different risk levels. For example, a high-risk level blocks access, while a medium-risk level requires successful multi-factor authentication.
Sign-In Risk
Microsoft Entra ID Protection determines the likelihood that a sign-in request is unauthorized for each login attempt. Microsoft Entra ID Protection analyzes various signals in real time and classifies the sign-in risk into the categories no risk, low, medium, and high. Based on this classification, the Microsoft Entra Conditional Access policy defines the next steps in the sign-in process. For example, a successful multi-factor authentication may be required.
Open Microsoft Entra admin center (https://entra.microsoft.com) > Protection > Conditional Access and select Create new policy
Assign a Name for the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn
Select Users and Groups for applying this policy. Emergency accounts, service accounts and service principals should be excluded.
Set the Target resources to All Resources (formerly All cloud apps), and mandatory exclusions can be added if necessary.
Under Conditions, select the sign-in risk levels that the policy will apply to.
High Risk: Clear evidence indicates that the sign-in is compromised or poses a threat. The danger is acute, and Microsoft assesses the sign-in as potentially originating from an attacker.
Medium Risk: There are suspicious but inconclusive indicators suggesting the sign-in might be risky. The threat may be real but cannot be definitively classified as compromised.
Low Risk: The sign-in displays minor anomalies that could be potentially suspicious but do not represent a serious threat. These may be legitimate behavioral deviations.
No Risk: This level indicates that no unusual or suspicious activities have been detected. The sign-in attempt shows no anomalies and aligns with the typical patterns associated with the account. In this case, Microsoft considers the access to be secure and trustworthy.
Under Grant, it is specified which access enforcement applies through this policy. In this example, successful completion of multi-factor authentication (MFA) is required.
Under Session, set the sign-in frequency to Every time.
Enable the policy with On and click Create to save.
The policy has been successfully created and will now respond to sign-in risk.
User Risk
The user risk evaluates the likelihood that a user account is compromised. Microsoft Entra ID Protection analyzes various signals and behavioral patterns to calculate a risk level (no risk, low, medium, or high). Based on this information, Microsoft Entra Conditional Access policies can enforce additional security measures.
Open Microsoft Entra admin center (https://entra.microsoft.com) > Protection > Conditional Access and select Create new policy
Assign a Name for the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn
Select Users and Groups for applying this policy. Emergency accounts, service accounts and service principals should be excluded.
Set the Target resources to All Resources (formerly All cloud apps), and mandatory exclusions can be added if necessary.
Under Conditions, select the user risk levels that the policy will apply to.
High Risk: Clear evidence suggests that the user account has been compromised. The account is under acute and serious threat.
Medium Risk: Indicators suggest the account may be at risk, but there is no definitive proof of a full compromise. While the risk is not critical, monitoring and preventive measures are required.
Low Risk: There are minor signs that the account might potentially be at risk. These are typically small deviations that could have legitimate explanations.
Under Grant, it is determined which access enforcement is applied by this policy. In this example, a password change is required.
Under Session, set the sign-in frequency to Every time.
Enable the policy with On and click Create to save.
The policy has been successfully created and will now respond to user risk.
Notifications
Microsoft Entra ID Protection sends notifications about compromised users via email. By default, users with a valid email address in the following roles are automatically added to this notification list:
- Global Administrator
- Security Administrator
- Security Reader
Additionally, a weekly digest is sent via email. These default settings can be customized to suit your needs.
Alerts for Detected Compromised Users
Email recipients for detected users at risk are managed in the Microsoft Entra admin center (https://entra.microsoft.com) under Protection > Identity Protection > Users at risk detected alerts (1). Additionally, the risk level (2) can be set at which an email alert will be sent.
The email for the alert of a detected user at risk looks as follows:
Weekly Digest
A summary of newly detected risks is sent weekly. Email recipients for detected compromised users are managed in the Microsoft Entra admin center (https://entra.microsoft.com) under Protection > Identity Protection > Weekly digest (1).
If you wish to disable this notification, the email delivery can be turned off (2).
The email for the weekly digest looks as follows:
Functionality Check
The following simulations effectively verify the previously created Microsoft Entra Conditional Access policies, requiring minimal effort. Additional simulation options are described in the following Microsoft Learn article: Simulating risk detections in Microsoft Entra ID Protection – Microsoft Entra ID Protection | Microsoft Learn
Anonymous IP Address
A simulation with an anonymous IP address can be easily and quickly performed using the Tor Browser.
- Start the Tor Browser and navigate to https://aka.ms/myapps
- Sign in with an account that is not registered for multi-factor authentication
- The sign-in will appear in the Risk Detection report after approximately 15 minutes
Unfamiliar Sign-In Properties
The requirements for simulating an unfamiliar sign-in are as follows:
- A user account with at least 30 days of active sign-in history
- A virtual machine that has never been used with this user account
- The user account has registered for multi-factor authentication
- VPN to simulate an unfamiliar location
Perform Simulation
- Start the VPN and ensure that internet traffic is routed through a new, unfamiliar location for the user account
- Launch the browser on the virtual machine and go to https://aka.ms/myapps
- Sign in with the user account and intentionally fail to complete the required multi-factor authentication
The sign-in will appear in the Risk Detection report after approximately 15 minutes.
Good to Know
Legacy Risk Policies to be retired on October 1, 2026
The configured legacy risk policies will be retired on October 1, 2026. Migration to Microsoft Entra Conditional Access policies can be performed without interruption:
- Create a Microsoft Entra Conditional Access policy for sign-in risk
- Create a Microsoft Entra Conditional Access policy for user risk
- Disable existing legacy risk policies:
Microsoft Entra admin center (https://entra.microsoft.com) > Protection > Identity Protection > User risk policy > disable Policy enforcement
Microsoft Entra admin center (https://entra.microsoft.com) > Protection > Identity Protection > Sign-In risk policy > disable Policy enforcement
Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!