Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Four major Azure AD Identity Protection enhancements are now in public preview
Published Jan 29 2019 09:00 AM 30.8K Views

Howdy folks,


Today I’ve got some pretty exciting news to share. We’ve just put four major Azure Active Directory (Azure AD) Identity Protection enhancements into public preview! 


The four enhancements include:

  • An intuitive and integrated UX including security insights, recommendations, sign-ins report integration, and the ability to filter, sort, and perform bulk operations.
  • Powerful APIs that allow you to integrate all levels of our risk data with your ticketing, analysis, or SIEM systems.
  • Improved risk assessment. We continuously tune our heuristic and machine learning systems and are bringing you even more accurate risk analysis to drive your prevention and remediation strategy.
  • Service-wide alignment across risky users and risky sign-ins.

Announced at Ignite 2018, these capabilities are now available to all Azure AD Premium P2 customers. Let’s take a look!


An intuitive and integrated UX

The UX is now more intuitive with insights into your security allowing you to gain detailed information on risky user trends and activity.


Security overview

The new Security overview provides user and sign-in risk trends to help you spot attacks and understand the effectiveness of your policies. The tiles on the right call out key issues such as high-risk users and unprotected risky sign-ins to help you quickly act on those issues.


Azure AD Security overview.Azure AD Security overview.

Risky user report

The new Risky user report gives you better insight into at-risk users. In addition to remediation actions (e.g. reset password, dismiss risk), there’s a ton of new navigation and discovery functionality packed in here.


First, the Basic info tab provides the basic user information (e.g. office location). Click the name to open the Azure AD user profile to display the user’s phone number, directory role, manager’s name, memberships, etc.


Azure AD Risky users (Basic info).Azure AD Risky users (Basic info).

Second, in the Recent risky sign-ins tab, click any sign-in to see a ton of information on that sign-in.


Azure AD Risky users (Recent risky sign-ins).Azure AD Risky users (Recent risky sign-ins).

Third, the Risk events not linked to a sign-in tab shows you detections not tied to a sign in. For instance, the user may have reused their credentials at another site that was compromised.


Azure AD Risky users (Risk events not linked to a sign-in).Azure AD Risky users (Risk events not linked to a sign-in).

Fourth, you may want to know why a user got marked as being at risk. While the risk assessment is done by our revamped machine learning system (our secret sauce!), the Risk history tab shows you all the events that contributed to user risk.


Azure AD Risky users (Risk history).Azure AD Risky users (Risk history).

Risky sign-ins report

Now let’s cover something brand new—the Risky sign-ins report! Until now, you’ve been correlating our detections to sign-ins. With the new Risky sign-ins report, that’s no longer necessary. The Risky sign-ins report gives you a single, integrated view to see basic sign-in info, risk, device, Multi-Factor Authentication (MFA), and policy information.


The Basic info tab gives you information such as the time, IP, location, client, and resource for that sign-in.


Azure AD Risky sign-ins (Basic info).Azure AD Risky sign-ins (Basic info).

The Device info tab provides information about a browser, OS, compliance, and device management.


Azure AD Risky sign-ins (Device info).Azure AD Risky sign-ins (Device info).

The Risk info tab lists all the detections for a sign-in, so you can see why was a sign-in risky.


Azure AD Risky sign-ins (Risk info).Azure AD Risky sign-ins (Risk info).

The MFA info tab tells you the MFA sign-in story (e.g. whether MFA was required, how was it done and the result). Finally, the Conditional Access tab shows how your conditional access policies reacted to a sign-in.


Smart feedback

Smart feedback lets you protect your users by acting upon the risk assessment. If you conclude sign-ins were compromised, you can select these sign-ins and click Confirm compromised. Alternatively, you can click Confirm safe.


Note: This intel is automatically applied to the specific user and selectively applied to your organization. Additionally, the patterns behind such intel from the entire Azure AD customer base are continuously incorporated.


Azure AD Risky sign-ins (Confirm compromised).Azure AD Risky sign-ins (Confirm compromised).

Customization of reports, searching, sorting, and bulk operations

You now have the same controls that exist for other reports in Azure AD. You can quickly filter, sort, and select columns and then take bulk actions throughout Identity Protection. For instance, you can easily share examples of identity risks in your organization with your management teams without needing any technical experience such as:

  • A list of all active, high-risk users sorted by the date of last risk change.
  • A list of successful sign-ins that had Anonymous IP address or Atypical travel since November 23.

Note: For a smooth transition, we’ll ensure the existing and the new UX are in-sync, so you can switch between the two.


Powerful APIs

All the data you access through the new UX is available to you via the MS-Graph APIs. You can programmatically route Identity Protection data into your SIEM, storage, ticketing, or alerting system through the following APIs.


Risky users API

The Risky users API gives provides insight into risky users. With this API, you can ask questions such as:

  • How risky is user ‘Lily’?
  • Who are my High and Medium risk users?
  • How many users showed up at Medium or High risk between Labor Day 2018 and Halloween 2018?

s API

This Sign-ins API lets you view all the information associated with sign-ins. It helps you ask questions such as:

  • How risky is this sign-in and why?
  • Show me all the info of all risky sign-ins that were successful around Thanksgiving 2018?
  • What is the list of all successful sign-ins that came in last week from countries I don’t operate in?
  • What is the list of all sign-ins user ‘Zach’ had in the last one month from Anonymous IP addresses?

Note: To ensure your workflow continuity, the existing IdentityRiskEvents API will continue to work throughout the preview.


Improved risk assessment

The UX/API benefits above are just the tip of the iceberg. Under the hood, we significantly improved both our user risk and sign-in risk assessment via supervised machine learning advancements. So, your policies become much better at stopping the bad actors.

New—Sign-in risk (aggregate)

Identity Protection now gives you an aggregate risk considering all the malicious activity detected on a sign-in. This helps prioritize your sign-in investigations. It includes real-time detections (detections that trigger during the sign-in), non-real-time detections (detections that trigger minutes after the sign-in), detections made by partner security products, and other features of a sign-in (e.g. location, time, IP, proxy).

Improved—User risk

We made a huge leap in our user risk assessment by leveraging our advancements in supervised machine learning, new machine learning layer at the sign-in level, and smart feedback. This means your user risk policy is now more effective than ever at automatically blocking or remediating those risky users.


Service-wide alignment across risky users and risky sign-ins

After carefully listening to our customers, we learned that two entities—risky users and risky sign-ins—are most relevant to IT admins for identity compromise. So, we designed the refreshed Identity Protection entirely around these two entities.


You now have the following available for both risky users and risky sign-ins:


Note: To help you leverage all the above enhancements, we also revamped our documentation.


Customer comments

Finally, here are a few comments from customers who used the refreshed Azure AD Identity Protection:


  • “The new version of AADIP provides a lot of benefit by having a general overview showing all risky sign-ins or all risky users compared to the flip side of seeing the event first and having to drill down. Having a quick overview list of people or sign-in's that can't allow any to go missed is beneficial. In addition, the greater plethora of data on the events is beneficial. It's nice not to have to drill down to that data through the user's sign-in history blade and see it right away on the event. The ‘Confirm compromised’ feature is great.”—The Walsh Group


  • “Our team has been working with the new interface and dashboard for two months now. Usability is significantly improved, and it makes our daily work much easier. This saves us a lot of time and we got all information in one view in seconds. Thank you very much.” —Abtis


  • “The new Azure AD Identity Protection dashboards give you a clear view of risky users as well as risky sign-ins. It gives IT teams the ability to quickly see if risky sign-ins have been protected by MFA or not. Clicking the dashboards allows you to easily drill down into the events to investigate risky users/sign-ins.” Identity Experts


  • “It was delighting to see the exact issues we are experiencing are being resolved in the next release.” BDO Netherlands

Next steps

Try the refreshed Azure AD Identity Protection and please share your thoughts via the in-product prompts or in the comments below. We always love to hear your feedback and suggestions, and look forward to hearing from you!


Best regards,


Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

Version history
Last update:
‎Jul 24 2020 01:45 AM
Updated by: