Home
IT Hub
Microsoft Entra ID Protection Guide for Technical Teams
Microsoft

Microsoft Entra ID Protection Guide for Technical Teams

Reco Security Experts
Updated
June 10, 2025
June 11, 2025
5 mins

Microsoft Entra ID Protection, formerly known as Azure Active Directory Identity Protection, assists organizations in detecting and responding to identity-based risks. It uses data from Microsoft’s vast threat intelligence network to identify suspicious user activities and sign-in patterns. For technical teams, properly configuring and using Identity Protection is key to preventing compromised identities and enforcing automated response actions.

This guide explains how to implement, monitor, and fine-tune Microsoft Entra ID Protection. It focuses on practical configurations, policy design, risk-based access controls, and advanced response techniques.

Understand Identity Risks in Microsoft Entra ID Protection

Before configuring any policies, it's important to understand the two main types of risks in Microsoft Entra ID Protection:

  1. User Risk – Indicates a user account is likely compromised (e.g., leaked credentials, unusual activity).

  2. Sign-in Risk – Flags suspicious login attempts (e.g., login from unfamiliar locations, atypical devices).

These risks are calculated using Microsoft’s machine learning models and updated continuously based on global telemetry. You can view detected risks from the Identity Protection pane in the portal or by querying Microsoft Graph APIs for automation.

Microsoft Entra ID Protection dashboard showing user risks, sign-in alerts, and security policy settings.

Microsoft Entra ID Protection dashboard displaying detected user and sign-in risks using machine learning to help secure identities and manage access policies.

Configure Risk Policies for Access Control

Once risks are detected, you can block or restrict access using Risk-Based Conditional Access policies. These policies can be configured to block access or enforce multi-factor authentication (MFA) if risk is detected.

Real-life Example: Block Access for High User Risk

{
  "conditions": {
    "userRiskLevels": [ "high" ]
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": [ "block" ]
  }
}

This JSON configuration (via Microsoft Graph API) sets a Conditional Access policy that blocks sign-ins if user risk is high. In the portal, you can configure this visually under

Conditional Access > New Policy > User Risk.

Best Practices

  • Set high user risk = block access
  • Set medium sign-in risk = require MFA
  • Set low user risk = allow but monitor

Always test your policies with a small group before full deployment.

Dashboard view of risk-based access policy settings in Microsoft Entra ID Protection.

The Visual interface of Microsoft Entra ID Protection with risk-based access policies configured to block or restrict access based on user and sign-in risk levels.

Automate User Risk Remediation

Microsoft Entra ID Protection lets you automate responses for detected risks. If a user’s risk level reaches a certain threshold, you can trigger:

  • Password reset
  • MFA challenge
  • Account lockout
  • Access block

These responses are automatic when policies are enabled. You can also use custom workflows with Microsoft Graph Security API to trigger external tools or SIEM workflows.

Example: Reset Password on Risk Detection (Graph API)

POST https://graph.microsoft.com/beta/identityProtection/riskyUsers/{user-id}/confirmCompromised
Authorization: Bearer <token>

This API call marks the user as compromised, which enforces a password reset and blocks access until resolved. Use this in logic apps, runbooks, or SIEM workflows to automatically respond to high-risk users.

Monitor Identity Protection Logs

Logs are crucial for visibility and response. Microsoft Entra ID Protection writes logs to:

  • Sign-in logs
  • Risky users
  • Risk detections

You can integrate logs into Log Analytics, Microsoft Sentinel or export to a SIEM.

Example KQL Query for Sentinel

SigninLogs
| where RiskLevelDuringSignIn == "high"
| summarize count() by UserPrincipalName

This query identifies users with frequent high-risk sign-ins. Use this to prioritize investigation or refine risk policies.

Make sure diagnostic settings for Microsoft Entra ID are enabled and routed to your log destination.

Respond to False Positives

Machine learning models may produce false positives. Technical teams should:

  • Use Risk Dismiss to manually override risk if you confirm it's safe.
  • Investigate using correlated sign-in data, IP reputation, device compliance, and recent user activity.
  • Refine policies to reduce unnecessary user friction.

Risk dismissals can be done in the portal or with the Graph API:

POST https://graph.microsoft.com/beta/identityProtection/riskyUsers/{user-id}/dismiss
Authorization: Bearer <token>

Add audit logging to track overrides for security and compliance reasons.

Simulate and Test Identity Protection Policies

After setting up Identity Protection policies, it's critical to test their behavior before applying them organization-wide. This avoids accidental lockouts or unexpected access denials. Microsoft Entra ID provides multiple testing and simulation options that technical teams should use regularly to validate risk policies and access controls.

Testing helps ensure that policies:

  • Enforce the correct actions for specific risk levels
  • Do not block legitimate users
  • Work with existing MFA or hybrid identity configurations

Use the “What If” Tool for Conditional Access

Microsoft Entra ID’s built-in What If tool simulates how Conditional Access policies apply to a given user, location, device, or risk level.

Steps:

  1. Go to Microsoft Entra ID > Security > Conditional Access > What If
  2. Select a test user, location, platform, sign-in risk level, and app
  3. Run the simulation to see which policies apply and what the result would be

This helps you validate your Identity Protection risk policies in the context of Conditional Access logic.

Test Risk Detection with Test Accounts

For real-world testing:

  • Use non-production test accounts.
  • Simulate high-risk sign-ins by logging in from unusual locations or using TOR/VPN (in a controlled environment).
  • Monitor the Risky sign-ins and Risky users’ reports to see how the risks are detected.

You can also use Microsoft’s Risky Sign-in Simulator to generate test signals.

Monitor Impact in Real-Time

After applying policies to a pilot group:

  • Use Sign-in logs to monitor access behavior
  • Check Risk detections to validate that policy thresholds are working as expected
  • Watch for increased MFA prompts or access blocks

Update your policy scope gradually—start with a few users or groups, validate logs, and expand in phases.

Insight by
Dr. Tal Shapira
Cofounder & CTO at Reco

Tal is the Cofounder & CTO of Reco. Tal has a Ph.D. from Tel Aviv University with a focus on deep learning, computer networks, and cybersecurity and he is the former head of the cybersecurity R&D group within the Israeli Prime Minister's Office. Tal is a member of the AI Controls Security Working Group with CSA.

Expert Insight: How Mature Security Teams Streamline Identity Threat Response


Mature security teams should use advanced tools and automation to reduce risks and speed up response across identity, device, and email threats.

  • Custom Roles for Risk Response: Define RBAC roles and allow security teams to respond to risks without granting them global admin access.
  • CA Policy Analytics Preview: Leverage Conditional Access Insights & Reporting to verify your policy changes prior to deployment.
  • Advanced hunting queries: From a single Advanced Hunting query window, use KQL queries in Microsoft 365 Defender to traverse signals from email, identity, and devices.
  • Risk Signal Tuning: Use Identity Protection reports to assist in identifying false positives, then fine-tune your trusted locations and devices.
  • Automated Risk Remediation: Implement automated playbooks in Microsoft Sentinel to respond instantly to identity risks detected by Entra ID, reducing manual intervention and speeding up threat mitigation.

Conclusion

Microsoft Entra ID Protection is a great tool to minimize attacks based on identities. For the technical teams, merging automated policies, monitoring, and integrations can translate into proactive control of risky sign-ins and compromised users. Review your policies often; integrate them into your wider security operations; iterate your policies with relevant telemetry.

Think of this as never being set in stone. The procedure will always require evaluation, tuning, and validation. Every time it is set up properly, it establishes the foundation of your identity security posture.

No items found.
Using Microsoft 365 Compliance Center for Enterprise Security
The Microsoft 365 Compliance Center is a single place where businesses can handle their compliance, data protection, insider risks, and governance needs. It offers a unified platform to classify data, monitor risk, enforce policies, and support regulatory compliance.
What You Should Know About "Error 400: admin_policy_enforced" in Google Workspace
If you have been fielding tickets or complaints about users being locked out of third-party tools they are trying to connect with their Google Workspace accounts, there is a good chance that you have come across the "Error 400: admin_policy_enforced" message.
A Comprehensive Guide to Workday REST API Integration and Security
In today's rapidly evolving digital landscape, businesses depend on numerous systems to manage operations ranging from HR to finance. To keep things running smoothly, these systems need to work well together. That’s where Workday’s REST APIs come in.
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
EXPERIENCE RECO 1:1 - BOOK A DEMO

Discover How Reco Can Help You Protect Your Microsoft Environment

“I’ve looked at other tools in this space and Reco is the best choice based on use cases I had and their dedication to success of our program. I always recommend Reco to my friends and associates, and would recommend it to anyone looking to get their arms around shadow IT and implement effective SaaS security.”
Mike D'Arezzo
Executive Director of Security
“We decided to invest in SaaS Security over other more traditional types of security because of the growth of SaaS that empowers our business to be able to operate the way that it does. It’s just something that can’t be ignored anymore or put off.”
Aaron Ansari
CISO
“With Reco, our posture score has gone from 55% to 67% in 30 days and more improvements to come in 7-10 days. We are having a separate internal session with our ServiceNow admin to address these posture checks.”
Jen Langford
Information Security & Compliance Analyst
“That's a huge differentiator compared to the rest of the players in the space. And because most of the time when you ask for integrations for a solution, they'll say we'll add it to our roadmap, maybe next year. Whereas Reco is very adaptable. They add new integrations quickly, including integrations we've requested.”
Kyle Kurdziolek
Head of Security
Get A Demo >

Explore More

Using Microsoft 365 Compliance Center for Enterprise Security

The Microsoft 365 Compliance Center is a single place where businesses can handle their compliance, data protection, insider risks, and governance needs. It offers a unified platform to classify data, monitor risk, enforce policies, and support regulatory compliance.
Learn more >

What You Should Know About "Error 400: admin_policy_enforced" in Google Workspace

If you have been fielding tickets or complaints about users being locked out of third-party tools they are trying to connect with their Google Workspace accounts, there is a good chance that you have come across the "Error 400: admin_policy_enforced" message.
Learn more >

A Comprehensive Guide to Workday REST API Integration and Security

In today's rapidly evolving digital landscape, businesses depend on numerous systems to manage operations ranging from HR to finance. To keep things running smoothly, these systems need to work well together. That’s where Workday’s REST APIs come in.
Learn more >

Ready for SaaS Security
that can keep up?

Request a demo
Reco is the leader in Dynamic SaaS Security — the only approach that eliminates the growing gap between what you can protect and what’s outpacing your security. Reco keeps pace with SaaS sprawl, no matter how fast it evolves, by covering the entire SaaS lifecycle — cradle to grave.
Request a demo
Memberships
Industry Recognition
Solutions By Use Case
Posture ManagementApp Discovery & GovernanceIdentity & Access GovernanceThreat Detection & ResponseData Exposure ManagementShadow App DiscoveryGenerative AI DiscoveryAgentic AI SecurityReco AI Agents
Integrations By App
All Supported ApplicationsSalesforceMicrosoft 365Google WorkspaceServiceNowWorkday
ServiceNow
soon
SlackOktaVeeva
Resources
BlogLearnIT HubCustomer StoriesWebinarsCompareSSPM ReportCISO GuideFinancial GuideHealthcare GuideSalesforce GuideMicrosoft GuideAI Security GuideShadow AI GuideState of SaaS Security Report
Company
About Reco
Careers
Hiring
NewsroomPartnersTrust CenterContact Us
Top Content
SaaS SecurityWhat is SSPM
Memberships
Industry Recognition
AICPA for RecoReco - ISO 27001
TermsPrivacy
© 2025 Reco. All Rights Reserved.