In a Zero Trust Security approach, where identity is a fundamental element, the security of authentications can be measured to some extent based on the so-called “signals”. Analyzing these signals provides a level of “risk” for a particular user when authenticating to Microsoft 365 services. Today, I’ll tell you about Mirosoft Entra Identity Protection and what the concept of “risk” means.

As always, before diving headfirst into this “risky” journey (pun intended 🤣), we need to introduce another concept: you need to understand what signals are.

What is a signal?

In Entra ID, a signal is defined as a property or a particular condition that a user and an authentication have. Here are some examples:

• User’s IP address

• IP and user geolocation

• Application they are trying to access.

• The operating system of the device they are using (Windows, Linux, macOS, iOS, Android?)

• What type of client the user is using to access M365 services? An app that supports Modern Authentication, a browser, or an app that only supports legacy authentication?

• If it’s a browser, which browser?

• Which Azure AD groups does their account belong to?

• And so on…

These are all signals, and as you can see, Entra ID is capable of detecting many of them.

You might be wondering: ”Rick, why are you bothering me with this signal stuff?”

I’ll answer that without too much beating around the bush: because “risk” is a signal!

And so, how does risk fit in among the signals, and what is it?

What is risk in Entra ID Protection?

In Entra ID Protection, risk is an assessment of user actions, authentications, and their properties. Cross-analysis of user properties and actions provides an assessment of how clean or suspicious the authentication is and how secure or insecure the user is.

Risk can be:

• Calculated in real-time (evaluations available in 5/10 minutes)

• Calculated by Microsoft cloud intelligence based on an analysis of authentication events in your tenant, which happens in the background (evaluations available in a few hours)

It is further divided into two types:

• User Risk

• Sign-in Risk

User Risk

Here are the risk signals associated with a user.

These signals are constantly updated and improved. The ones listed above are those available at the time of writing this article. If you want to ensure you are always up to date, I recommend referring to the official documentation:

• What are risk detections? | Microsoft Docs

Sign-in Risk

Here are the risk signals associated with a single authentication.

These signals are constantly updated and improved. The ones listed above are those available at the time of writing this article. If you want to ensure you are always up to date, I recommend referring to the official documentation:

• What are risk detections? | Microsoft Docs

How can risk in Entra ID Protection be useful?

The concept of risk is extremely useful when used in combination with Conditional Access and Multi-Factor Authentication! Even more so if you have access to Azure Sentinel and want to automate automatic responses.

Concrete examples? Here they are:

• If two authentications from Italy and Spain are detected within 5 minutes (impossible travel), I request Multi-Factor Authentication for access (Conditional Access + MFA).

• If it’s detected that the user’s password matches one found in public lists of compromised credentials (risk), I block the authentication (Conditional Access), raise an incident, and lock the user account (Azure Sentinel).

Where can you find risk assessments and events?

You can simply navigate to the Entra ID portal under

Microsoft Entra ID -> Security -> Identity Protection.

License requirements for Entra ID Protection

Here’s an official Microsoft document that will clarify which licenses are required to take advantage of these features:

• License Requirements | Microsoft Docs

Conclusions on risk and Entra ID Protection

As you can see, the limit to securing your identities in a simple and automated way is only your imagination and, of course, a careful analysis of your needs and environment.

Are you already using Entra ID Protection? Have you automated reactions in case of high risk? Let’s discuss it in the comments or on my social media channels; I’m here!

Your IT Specialist,

Riccardo