This chapter covers Microsoft Entra ID Protection (formerly Azure AD Identity Protection), a critical component of Microsoft 365 security. For the MS-900 exam, approximately 10-15% of questions in the Security domain (Objective 3.3) touch on identity protection concepts. You will learn how Identity Protection detects, investigates, and remediates identity-based risks, its integration with Conditional Access, and the specific risk types and policies you need to know for the exam. Master this chapter to confidently answer questions about user risk, sign-in risk, and automated remediation.
Jump to a section
Think of your organization's identities as a bank vault with multiple compartments. The vault itself is Azure AD, storing user accounts and credentials. Identity Protection is like a sophisticated security system that monitors every access attempt to the vault. It has motion sensors (risk detection algorithms) that detect unusual behavior, such as someone trying to open the vault at 3 AM from a foreign country (anomalous sign-in). It also uses facial recognition (machine learning) to compare the person to known employees (user risk). If the system detects a high-risk attempt, it can trigger an alarm that locks the vault temporarily (conditional access requiring MFA) or alerts the security team (security dashboard). The system also keeps a log of every attempt, including false alarms (risk events), and learns over time what normal behavior looks like. Just as a bank security system doesn't prevent all crime but significantly reduces risk, Identity Protection doesn't block all threats but reduces the attack surface by automatically responding to suspicious activities.
What is Microsoft Entra ID Protection?
Microsoft Entra ID Protection is a feature of Microsoft Entra ID P2 (formerly Azure AD Premium P2) that automatically detects and responds to identity-based risks. It uses machine learning models and heuristics to identify suspicious activities related to user accounts and sign-ins. The goal is to protect organizations from credential compromise, brute-force attacks, and other identity threats without requiring manual intervention for every alert.
Why It Exists
Traditional security relies on static rules and manual review, which is slow and error-prone. Identity Protection provides automated risk detection and remediation, reducing the time between compromise and response. It is part of Microsoft's Zero Trust security model, which assumes breach and continuously validates trust.
How It Works Internally
Identity Protection operates through three main components:
Risk Detection: Algorithms analyze sign-in events and user behavior in real time. Detections are classified as sign-in risk (e.g., impossible travel, anonymous IP address) or user risk (e.g., leaked credentials, suspicious activity).
Risk Assessment: Each detection is assigned a risk level: Low, Medium, or High. These levels are based on confidence scores from machine learning models.
Remediation: Based on risk level and configured policies, Identity Protection can trigger automatic remediation actions, such as blocking sign-in, requiring MFA, or forcing password reset.
Key Components and Defaults
- Risk Detections: There are over 30 types of risk detections. Key ones for the exam include: - Impossible travel: Two sign-ins from geographically distant locations within a time frame shorter than travel time. Default threshold: 10 minutes. - Anonymous IP address: Sign-in from an IP address classified as anonymous (e.g., Tor, VPN). - Leaked credentials: Credentials found on the dark web. - Malware linked IP address: IP address known to be associated with malware. - Unfamiliar sign-in properties: Sign-in with attributes not seen before for that user. - Suspicious browser: Browser with known security issues. - Risk Levels:
- Low: Confidence > 0% but < 30% - Medium: Confidence 30-60% - High: Confidence > 60% - Policies: Two default policies exist: - User risk policy: Remediate users with high user risk (default: require password change). - Sign-in risk policy: Remediate sign-ins with medium or high sign-in risk (default: require MFA). - Timers: Risk detections are stored for 90 days. User risk is calculated based on detections within a rolling window of 7 days.
Configuration and Verification
Identity Protection is configured in the Microsoft Entra admin center under Protection > Identity Protection. You can create custom Conditional Access policies that use risk as a condition. For example:
- Sign-in risk: High
- Grant: Require multi-factor authenticationTo verify risk events, use:
- PowerShell: Get-AzureADIdentityProtectionRiskDetections
- Graph API: GET /identityProtection/riskDetections
The Risky users report shows users with high risk. The Risky sign-ins report shows sign-in risk events.
Integration with Related Technologies
Identity Protection integrates with: - Conditional Access: Risk is a condition that can trigger access controls. - Microsoft Defender for Cloud Apps: Provides additional risk signals like impossible travel from app usage. - Microsoft Sentinel: Can ingest risk events for SIEM correlation. - Azure AD Privileged Identity Management (PIM): Risk can affect privileged role activation.
Exam-Relevant Details
Identity Protection requires Azure AD Premium P2 licenses (included in Microsoft 365 E5).
User risk is a cumulative score based on all detections for a user. If user risk is high, the user should reset their password.
Sign-in risk is per sign-in event. If sign-in risk is high, it may be blocked or require MFA.
The exam often asks about remediation actions:
- High user risk → Force password reset - High sign-in risk → Require MFA or block sign-in - False positives: Administrators can dismiss risks or confirm safe/compromised. - Report-only mode: Allows testing policies before enforcement. - Risk feedback: Admins can manually set risk level to influence machine learning.
Step-by-Step Remediation Flow
User attempts to sign in from an anonymous IP (e.g., Tor).
Identity Protection detects the sign-in risk as Medium.
A Conditional Access policy is triggered: if sign-in risk is Medium or High, require MFA.
User is prompted for MFA. If they complete it, access is granted. If not, access is blocked.
The risk detection is recorded and visible in the Risky sign-ins report.
Important Numbers
Risk detections are stored for 90 days.
User risk is calculated over a 7-day rolling window.
Default risk level thresholds: Low < 30%, Medium 30-60%, High > 60%.
Identity Protection is available with Azure AD Premium P2 (E5 includes this).
Command Examples
# Get all risk detections
Get-AzureADIdentityProtectionRiskDetections
# Get risky users
Get-AzureADIdentityProtectionRiskyUser
# Confirm user compromised
Set-AzureADIdentityProtectionRiskyUser -UserId user@domain.com -Action confirmCompromisedUser attempts sign-in
A user enters their credentials at a Microsoft 365 login page. The authentication request is sent to Azure AD, which processes the sign-in. At this point, Identity Protection begins evaluating the sign-in event in real time. It examines properties such as IP address, device, location, and time. The system compares these against the user's historical behavior and known threat intelligence.
Risk detection evaluation
Azure AD Identity Protection applies machine learning models to detect risk. For example, if the sign-in comes from an IP address known to be associated with anonymous proxies, the detection 'Anonymous IP address' is triggered. Each detection has a risk level (Low, Medium, High) based on confidence. Multiple detections can be aggregated for a single sign-in. The evaluation takes milliseconds and occurs before the user is granted access.
Conditional Access policy check
If a Conditional Access policy includes 'Sign-in risk' as a condition, the policy is evaluated. For example, a policy might say: 'If sign-in risk is High, then require MFA or block access.' The policy is applied after risk detection but before final access decision. If no policy matches, the sign-in proceeds normally. Policies can be in 'Report-only' mode to log but not enforce.
Remediation action triggered
Based on the policy, remediation occurs. Common actions: require MFA, block sign-in, or allow but log. If MFA is required, the user must complete additional verification (e.g., phone call, app notification). If blocked, the user receives an error message. The remediation is logged in Azure AD sign-in logs with risk detail.
Risk event recorded and reported
After the sign-in attempt, the risk detection is stored in Azure AD for up to 90 days. It appears in the 'Risky sign-ins' report. Administrators can review, dismiss, or confirm the risk. User risk is updated based on all detections for that user. If user risk becomes High, a separate user risk policy can trigger a password reset on next sign-in.
Scenario 1: Protecting Against Credential Stuffing
A large enterprise with 50,000 users was suffering from credential stuffing attacks. Attackers used leaked passwords from other sites to try to log in. The security team enabled Identity Protection with sign-in risk policies. They configured a Conditional Access policy requiring MFA for any sign-in with Medium or High risk. Within days, thousands of sign-in attempts were blocked or challenged with MFA. The team also created a user risk policy that forced password reset for users with High user risk. This reduced account compromise by 90%. The key was tuning the risk thresholds: they initially set the policy to trigger on Medium risk, but after analyzing false positives, they adjusted to only High risk for blocking, while using MFA for Medium.
Scenario 2: Impossible Travel Detection for Remote Workers
A company with a global workforce noticed that some users were signing in from two continents within minutes. Identity Protection flagged these as 'Impossible travel' events. The default threshold of 10 minutes was too sensitive for legitimate users using VPNs. The admin adjusted the policy to require MFA for impossible travel events, rather than blocking. They also created a trusted IP range for corporate VPNs to reduce false positives. Over time, the machine learning adapted to the user's typical travel patterns, reducing false alarms. The security team used the 'Risky sign-ins' report to investigate each event and confirm whether it was a real compromise or a false positive.
Scenario 3: Leaked Credentials Response
A mid-sized organization had several users whose credentials appeared on the dark web. Identity Protection detected these via the 'Leaked credentials' detection and raised user risk to High. The user risk policy automatically required those users to reset their password at next sign-in. The IT team also notified affected users via email. However, some users ignored the prompt, so the admin set the policy to block sign-in until password reset. This ensured compliance. The team also integrated with Microsoft Defender for Cloud Apps to monitor post-reset activity for any lingering compromise.
What MS-900 Tests
MS-900 Objective 3.3 covers 'Describe the capabilities of Microsoft Identity Protection.' The exam focuses on:
Understanding risk types: user risk vs. sign-in risk.
Knowing the default remediation actions: password reset for user risk, MFA for sign-in risk.
Recognizing license requirements: Azure AD Premium P2 (included in Microsoft 365 E5).
Identifying common risk detections: impossible travel, anonymous IP, leaked credentials, unfamiliar sign-in properties.
Differentiating between Identity Protection and other security features like Azure AD Password Protection or Conditional Access.
Common Wrong Answers
'Identity Protection blocks all risky sign-ins automatically.' Wrong: It can be configured to block, but default policies only require MFA or password reset. Blocking is an explicit policy choice.
'User risk and sign-in risk are the same.' Wrong: User risk is a cumulative assessment of a user's overall risk based on multiple detections over time; sign-in risk is per individual sign-in event.
'Identity Protection is available in all M365 plans.' Wrong: It requires Azure AD Premium P2 (E5 or P2 standalone). E3 only has basic security features.
'Risk detections are stored indefinitely.' Wrong: They are stored for 90 days.
Numbers and Terms That Appear on Exam
90 days: retention of risk detections.
7-day rolling window: user risk calculation.
Low, Medium, High: risk levels.
Anonymous IP, Impossible Travel, Leaked Credentials: specific detection names.
Azure AD Premium P2: required license.
Report-only mode: test policies without enforcement.
Edge Cases the Exam Loves
What if a user has multiple detections? User risk aggregates all detections; the highest risk level may trigger remediation.
Can you create custom risk policies? Yes, via Conditional Access using risk as a condition.
What happens if a user is marked as high risk but the policy is set to report-only? No action is taken; the risk is only logged.
How to Eliminate Wrong Answers
If a question mentions 'cumulative risk over time,' it's user risk. If it's about a single sign-in, it's sign-in risk.
If an answer says 'requires MFA for all users,' it's wrong because Identity Protection only triggers based on risk level, not for all users.
If an answer mentions 'Azure AD Premium P1,' it's wrong for Identity Protection (needs P2).
Identity Protection requires Azure AD Premium P2 (included in M365 E5).
Two main risk types: user risk (account-level) and sign-in risk (event-level).
Default user risk policy: require password reset for high risk.
Default sign-in risk policy: require MFA for medium or high risk.
Risk detections stored for 90 days; user risk calculated over 7-day rolling window.
Common detections: impossible travel, anonymous IP, leaked credentials, unfamiliar sign-in properties.
Integration with Conditional Access allows custom risk-based policies.
Report-only mode enables testing without enforcement.
These come up on the exam all the time. Here's how to tell them apart.
User Risk Policy
Targets an entire user account
Based on cumulative detections over time
Default remediation: require password reset
Evaluated at sign-in if user risk is high
Helps protect already compromised accounts
Sign-in Risk Policy
Targets individual sign-in events
Based on real-time detection during sign-in
Default remediation: require MFA
Evaluated at every sign-in attempt
Helps protect against anomalous sign-ins
Mistake
Identity Protection requires Microsoft 365 E5 license.
Correct
It requires Azure AD Premium P2, which is included in Microsoft 365 E5, but also available standalone. E3 does not include it.
Mistake
All risk detections are automatically blocked.
Correct
By default, only reporting occurs. Remediation requires a Conditional Access policy configured with risk conditions.
Mistake
User risk and sign-in risk are the same thing.
Correct
User risk is a cumulative score based on all detections for a user over time; sign-in risk is per individual sign-in event.
Mistake
Risk detections are stored indefinitely.
Correct
They are stored for 90 days only.
Mistake
Identity Protection can prevent all identity attacks.
Correct
It reduces risk but cannot prevent all attacks. It relies on machine learning and may have false positives/negatives.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD Premium P2 is required. This is included in Microsoft 365 E5 but not in E3. You can also purchase it standalone. Without P2, you cannot create risk-based Conditional Access policies or view risk detections.
User risk is a cumulative assessment of a user's overall risk based on multiple detections over time (e.g., leaked credentials, suspicious activity). Sign-in risk is evaluated per individual sign-in event (e.g., impossible travel, anonymous IP). User risk policies typically force password reset, while sign-in risk policies require MFA or block the sign-in.
Risk detections are stored for 90 days. After that, they are automatically deleted. This is important for compliance and investigation windows.
Yes, if you configure a Conditional Access policy with a 'Block access' control and set the condition to a risk level (e.g., High sign-in risk). By default, no blocking occurs; policies are report-only or require MFA.
Low: confidence 0-30%, Medium: 30-60%, High: >60%. These thresholds are based on machine learning confidence scores and can be influenced by admin feedback.
Administrators can review risk detections in the Risky sign-ins report and manually dismiss them or confirm as safe. This feedback helps improve the machine learning model. You can also use report-only mode to test policies before enforcement.
It detects two sign-ins from geographically distant locations within a time frame shorter than physically possible. Default threshold is 10 minutes. This often indicates credential compromise.
You've just covered Identity Protection in M365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?