What Is Azure Identity Protection?
Microsoft Entra ID Identity Protection is a risk-based security layer that continuously evaluates sign-in and user risk signals to detect credential compromise, impossible travel, anomalous authentication patterns, and attacker tooling — in real time.
Without Identity Protection policies, these signals are visible in logs but generate no automated response. An attacker using a leaked credential from a breach database, authenticating from a Tor exit node at 3am, will succeed — even if the sign-in risk score is "high" — unless a policy is configured to require MFA step-up or block access.
Risk Protection closes the gap between detection and response at the identity layer.
How It Works
Identity Protection evaluates two risk types:
Sign-in risk — the probability that a specific authentication is not from the legitimate user. Signals include:
- Anonymous IP address (Tor, VPN)
- Atypical travel (authentication from two geographically distant locations within hours)
- Malware-linked IP address
- Unfamiliar sign-in properties (new device, new location, new browser)
- Password spray patterns
- Token anomalies (AiTM phishing indicators)
User risk — the probability that a user account is compromised. Signals include:
- Leaked credentials (Microsoft monitors breach databases and flags matching accounts)
- Suspicious activity patterns over time
- Anomalous token usage
When risk is detected but no policy responds, the attacker proceeds. When policies are configured, high-risk sign-ins are blocked or require MFA, and compromised users are forced to change their password.
The Attack Chain (Without Risk Policies)
Scenario 1 - Leaked Credentials
# Attacker finds corp.com credentials in a public breach database
# Microsoft's Identity Protection detects the leaked credentials and sets user risk = High
# Without a user risk policy: attacker authenticates successfully, no alert fires
# With a user risk policy:
# High risk user → require password change on next login → attacker blocked
Scenario 2 - AiTM Phishing
# Attacker runs Evilginx2 AiTM proxy
# Victim clicks phishing link, enters credentials + MFA code
# Attacker captures session token (bypasses MFA)
# Identity Protection detects: token anomaly, suspicious session properties
# Sign-in risk = High
# Without sign-in risk policy: attacker uses stolen token freely
# With sign-in risk policy: high-risk session requires MFA re-authentication
# Attacker's stolen token cannot satisfy MFA challenge → session blocked
Scenario 3 - Password Spray
# Attacker sprays common passwords across M365 accounts
# Identity Protection detects spray pattern — increments sign-in risk
# Without policy: successful spray completes undetected
# With policy: medium-risk sign-in requires MFA — spray yields nothing usable
Detection
Risk Detection Events (Entra ID Sign-in Logs)
| Risk Detection | What It Indicates |
|---|---|
| Leaked credentials | Account credentials found in public breach data |
| Anonymous IP | Sign-in from Tor/VPN — often attacker infrastructure |
| Impossible travel | Two sign-ins from geographically impossible locations |
| Unfamiliar sign-in | New device + new location + new browser simultaneously |
| Malware-linked IP | Source IP associated with known malware C2 |
| Token issuer anomaly | Session token characteristics inconsistent with legitimate auth |
| Mass access to sensitive files | Post-compromise data exfiltration pattern |
SIEM Detection Query (Elastic KQL)
azure.signinlogs.properties.risk_level_during_sign_in: ("high" OR "medium") AND
azure.signinlogs.properties.status.error_code: 0
# Detect leaked credential detections
azure.auditlogs.operation_name: "Risky user detected" AND
azure.auditlogs.properties.additional_details: "*leakedCredentials*"
💡 Tip: Route Identity Protection risk detections to your SIEM and alert on any high-risk sign-in that succeeds. These are near-certain indicators of active attack or credential compromise.
Remediation
💡 Quick Win: Enable user risk and sign-in risk policies in Identity Protection today. Both can be configured in under 5 minutes and provide immediate automated response to detected attacks.
1. Configure Sign-in Risk Policy
Entra ID > Security > Identity Protection > Sign-in risk policy:
Assignments:
- Users: All users
- Sign-in risk: Medium and above
Access:
- Require multifactor authentication
Enable policy: On
2. Configure User Risk Policy
Entra ID > Security > Identity Protection > User risk policy:
Assignments:
- Users: All users
- User risk: High
Access:
- Allow access + Require password change
Enable policy: On
3. Block High-Risk Sign-ins via Conditional Access
For maximum control, use Conditional Access rather than the built-in Identity Protection policies — it provides more granular configuration:
Policy: Block High-Risk Sign-ins
Conditions > Sign-in risk: High
Access controls: Block
Policy: Require MFA for Medium-Risk Sign-ins
Conditions > Sign-in risk: Medium
Access controls: Require MFA
4. Configure Risky User Notifications
Entra ID > Security > Identity Protection > Notifications:
- Users at risk detected alerts: Weekly digest to security team
- Weekly digest: Enabled
5. Review and Remediate Flagged Users
Connect-MgGraph -Scopes "IdentityRiskEvent.Read.All", "IdentityRiskyUser.ReadWrite.All"
# List all high-risk users
Get-MgRiskyUser -Filter "riskLevel eq 'high'" |
Select-Object UserPrincipalName, RiskLevel, RiskLastUpdatedDateTime
# Dismiss risk for confirmed safe users
Invoke-MgDismissRiskyUser -UserIds @("user-id-1", "user-id-2")
# Confirm compromise and require password reset
Invoke-MgConfirmRiskyUserCompromised -UserIds @("compromised-user-id")
How EtcSec Detects This
EtcSec audits your Identity Protection configuration as part of every Azure scan.
The Risk Protection category checks whether sign-in risk and user risk policies are configured and enforced — a critical gap that leaves your tenant without automated response to detected attacks.
Findings include: no sign-in risk policy, no user risk policy, risk policies in "report-only" mode (detecting but not enforcing), and missing notification configuration.
ℹ️ Note: EtcSec audits Identity Protection configuration automatically. Run a free audit to see if your Azure tenant has risk-based response controls in place.
Related articles: Azure Conditional Access Gaps | Azure Identity Security | Azure Privileged Access
