Monitor, investigate, and remediate elevated risky users

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

Investigate risk

Identity Protection offers three reports that organisations can use to investigate identity risks in their environment: risky users, risky sign-ins, and risk detections. Investigating events is critical for better understanding and identifying flaws in your securing strategy.

All three reports allow you to download events in.CSV format for analysis outside of the Azure portal. The risky users and risky sign-ins reports can be downloaded for the most recent 2,500 entries, while the risk detections report can be downloaded for the most recent 5,000 records.

Organizations can use the Microsoft Graph API integrations to aggregate data from other sources to which they may have access as an organisation.

The three reports can be found in the Azure portal, Azure Active Directory, and Security.

Navigating the reports : –

Each report begins with a list of all detections for the time period indicated at the top of the report. Columns can be added or removed from each report based on the administrator’s preferences. Administrators can download the data in either.CSV or.JSON format. The filters across the top of the report can be used to filter reports.

Selecting individual entries may enable additional options at the top of the report, such as confirming a sign-in as compromised or safe, confirming a user as compromised, or dismissing user risk.

When you select an individual entry, a details window appears beneath the detections. Administrators can investigate an act on each detection using the details view.

Risky users report in the Azure portal

Risky users : –

Administrators can use the information provided by the risky users report to discover:

  • Which users are at risk, have had risk mitigated, or have had risk dismissed?
  • Details on detections
  • All risky sign-ins are tracked in the past.
  • Risk history

Administrators can then decide how to respond to these events. They have the option of:

  • Reset the user password.
  • Confirm user compromise.
  • Dismiss user risk.
  • Block users from signing in.
  • Investigate further using Azure ATP.


Risky sign-ins: –

 The risky sign-ins report includes filterable data for the previous 30 days (one month).

Administrators can use the information provided by the risky sign-ins report to discover:

  • Which sign-ins are classified as “at risk,” “confirmed compromised,” “confirmed safe,” “dismissed,” or “remediated?”
  • Risk levels associated with sign-in attempts in real-time and aggregate.
  • Detection types have been activated.
  • Policy of Conditional Access was used.
  • Details about the MFA
  • Details about the device.
  • Information on the application.
  • Details about the location.

Administrators can then decide how to respond to these events. Administrators have the option of:

  • Confirm the compromise on sign-in.
  • Confirm the safe sign-in.


Risk detections: –

The risk detection report includes filterable data for the last 90 days (three months).

Administrators can use the risk detections report to discover:

  • Information about each risk detection, including the type.
  • Other risks were triggered at the same time.
  • Sign-in attempt location


Administrators can then return to the user’s risk or sign-ins report to take action based on the information gathered.

The risk detection report also includes a link to the detection in the Microsoft Defender for Cloud Apps (MDCA) portal, where you can view additional logs and alerts.

Note: –

Our system may detect that the risk event that contributed to the risk user risk score was a false positive, or that the user risk was resolved through policy enforcement, such as completing an MFA prompt or changing a secure password. As a result, our system will dismiss the risk state, and a risk detail of “AI confirmed sign-in safe” will appear, contributing no longer to the user’s risk.


For more information, contact Professional Labs, the Best Cloud Managed Services Provider.
Contact Us | Professional labs (