Azure Identity Protection - Clarity about the report options

Copper Contributor

Hi everyone


Currently, I am trying to better understand Azure AD Identity Protection. To be honest, despite the documentation it is still not totally clear for me what is the difference between the "Risk detections" and the risky users and risky sign-igns within the Report blade. I thought that risk detection is a kind of summary of risky users and risky sign-ins. This opinion I had after I saw that a filter "Activity" is available that can filter by "users" and "Sign-ins" - but in that case all the detections disappear. That is why i was confused about the relationship between them.


A second thing that is not clear is if I really understood the concept of risky users & Risky sign-ins: Risky users are calculated as a consequence of detected sign-in risks? 


The last thing is: When i get a "unfamiliar sign-in properties" risk, where I can see what actually was the reason to alert resp. what was the risk parameter the algorithm detected as unfamiliar?


Thank you in advance,

3 Replies

I would suggest you to have a look on the ignite session The science behind Azure Active Directory Identity Protection
This will answers a couple of questions that might not be included in the documentation for Identity Protection.

Hi @Pontus Själander ¨


Unfortunatley, it does not answer my questions. Can anyone give some more hints?



A risk detection is when a user does something risky. Like logging in from a 'Malware Linked IP'. The moment the user logs in from a malware linked IP, this will be a risky sign-in. The reason for this risky sign-in will be the risk detection will be 'Malware linked IP'.
A sign-in can have a score (low/medium/high), but a user can also have risk score. These are calculated from the multiple risky signins (simply put 2 low sign-ins create a medium risky user). A admin can also confirm a user as confirmed, then the user risk is also increased.

For the unfamiliar sign-ins: Microsoft does not publish why the alert is exactly triggered. Most of the time this is because of a new IP or new device. So these are the two things I look into.