Entra ID Identity Protection
Status: Final
Entra ID Identity Protection (formerly Azure AD Identity Protection) is Microsoft's ML-based risk engine built into Entra ID. It detects anomalous sign-in and user behaviors, assigns risk scores, and integrates with Conditional Access to enforce stepped-up authentication or block access in real time.
Risk Types
Sign-In Risk
Probability that a specific authentication attempt is not made by the legitimate user.
| Detection | Description | Risk Level |
|---|---|---|
| Anonymous IP address | Sign-in from Tor, known anonymizing proxy | High |
| Atypical travel | Sign-in from geographically improbable locations | Medium–High |
| Malware-linked IP | IP known to C2 / botnet infrastructure | High |
| Unfamiliar sign-in properties | Device, browser, ASN outside user's baseline | Low–Medium |
| Password spray | Multiple failed + one success pattern | High |
| Leaked credentials | Credential found in breach database | High |
| Token issuer anomaly | Token from unexpected issuer | Medium |
| Suspicious browser | Browser/UA string not seen for this user | Medium |
| AiTM phishing session cookie | Detected reverse-proxy-acquired token reuse | High |
User Risk
Probability that a user account has been compromised. Accumulates over time from sign-in events + other signals.
| Detection | Description |
|---|---|
| Leaked credentials | Email/password pair found in public breach dump |
| Anomalous user activity | Bulk mailbox access, unusual app consent |
| Suspicious API activity | Unusual Graph API calls (mass data export, role manipulation) |
| User reported as compromised | Admin manually flags |
| Unusual deletion activity | Bulk delete of emails/files |
Risk Levels
| Level | Meaning | Typical Conditional Access response |
|---|---|---|
| Low | Minor signal, possibly FP | Log, no block |
| Medium | Actionable signal | Require MFA re-authentication |
| High | Strong compromise indicator | Block or require password change + MFA |
Integration with Conditional Access
Identity Protection feeds risk scores into Conditional Access policies:
Sign-in Risk Policy:
IF user = all users
AND sign-in risk = High
THEN require MFA (or block)
User Risk Policy:
IF user risk = High
THEN require password change + MFA
This creates a real-time adaptive authentication loop: attacker behavior triggers risk → CA enforces additional control → attacker's session is challenged or terminated.
Attacker Evasion Techniques
| Technique | What It Evades |
|---|---|
| Residential proxy / clean IP | Avoids anonymous IP / malware-linked IP detections |
| Slow and low — spread login attempts over days | Avoids password spray signature |
| Use victim's known ASN/location via victim-adjacent infra | Reduces atypical travel signal |
| Replay token obtained via AiTM immediately (same session) | Reduces token issuer anomaly (same session continuity) |
| Operate within normal business hours (victim's timezone) | Reduces unfamiliar sign-in properties anomaly |
Key insight: Identity Protection is better at detecting tools that don't try to evade it than sophisticated, OPSEC-conscious actors. Threat actors targeting high-value organizations actively manage their infrastructure to blend into normal sign-in patterns.
Investigation Workflow
When Identity Protection fires a High risk alert:
- Check sign-in logs for the flagged event — examine IP, device, user agent, MFA method used
- Check for token issuance immediately after — did a session start before the risk was remediated?
- Check downstream activity — if session was active, what Graph API calls, mailbox access, or admin actions followed?
- Check user risk history — has this user had previous risk events?
- Correlate with MDI / MDE — is there endpoint or on-prem AD activity from the same timeframe?
Cross-Links
| Topic | Link |
|---|---|
| Conditional Access | conditional-access |
| Entra Overview | entra-overview |
| AiTM Phishing | aitm-phishing |
| Device Code Phishing | device-code-phishing |