Risky users reporting and remediation

Microsoft Entra ID Protection collects and analyzes data from user sign-in behaviors such as leaked credentials, anonymous IP use, atypical travel, sign in from unfamiliar locations or infected devices, and more. Based on that data, Microsoft Entra ID Protection identifies potential risky sign-in attempts and potential risky users. See Microsoft's documentation: What are risk detections?

Use Cloud Commander to manage the risks detected by Microsoft Entra ID Protection. Cloud Commander displays a single view of risky users across all your managed tenants, so you don't need to sign in to customer tenants individually.

To view and manage your customer's risky users in Cloud Commander, your customer must have a user in the tenant with Microsoft Entra ID P2 license. Microsoft requires a P2 license to access the risky users API, which Cloud Commander uses to gather the data.

To view risky users across your managed tenants, go to Security > Risky Users. See View risky users.

To use the following actions to manage risky, see Manage risky users.

  • Reset passwords for risky users
  • Block user sign-in for risky users
  • Confirm compromised users
  • Dismiss user risk
  • Unblock user sign-in

For more information about investigating risk, see the Microsoft Entra ID Protection documentation.

Related articles

Updated: Oct 18, 2024