Domain 2 of 4 · Chapter 3 of 4

ID Protection

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.

Included in this chapter:

  • User risk vs sign-in risk: the two scores
  • Risk-based Conditional Access (and the legacy retirement)
  • MFA registration policy: the remediation prerequisite
  • Investigate and remediate risky users and sign-ins
  • Risky workload identities

User risk vs sign-in risk vs workload-identity risk

DimensionUser riskSign-in riskWorkload-identity risk
What it scoresProbability the identity is compromisedProbability this sign-in is not the ownerProbability an app or service principal is compromised
Scope of the scoreSticks to the user until remediatedPer individual sign-inSticks to the service principal until remediated
Example detectionsLeaked credentials, admin confirmed compromisedAnonymous IP, atypical travel, unfamiliar propertiesLeaked credentials, suspicious sign-ins, anomalous SP activity
Typical remediation controlRequire secure password change (risk remediation)Require MFA (re-prove identity)Block via CA, then rotate credentials
Self-remediation possible?Yes, password reset after MFAYes, pass MFANo, admin rotates credentials
License for full detailEntra ID P2Entra ID P2Workload Identities Premium

Decision tree

What kind of identity?User or workloadWorkload identityUserBlock via CA, rotatecredentials (x509)Which risk signal?User risk or sign-in riskUser risk = HighSign-in riskRequire risk remediation(secure password change)Risk level?Low vs Medium/HighMedium or HighLowRequire MFAUser re-proves identityMonitor onlyNo interruptAlways exclude break-glass accounts; confirmed compromised = Block sign-in / revoke sessions

Cheat sheet

  • User risk scores the account; sign-in risk scores one sign-in
  • Risk is reported on a four-level scale
  • Build risk responses as risk-based Conditional Access, not the legacy policies
  • High user risk requires secure password change; medium/high sign-in risk requires MFA
  • Keep user-risk and sign-in-risk conditions in separate policies
  • A secure password change must run through the risky-user remediation flow
  • Users must register for MFA before they can self-remediate
  • The MFA registration policy gives a 14-day grace period
  • Leaked credentials is always High and needs password hash sync for on-prem
  • Real-time detections can block live; offline detections raise risk after the fact
  • Investigate risk from the Risky users, Risky sign-ins, and Risk detections reports
  • Drive and export risk through Microsoft Graph and diagnostic settings
  • P2 unlocks full risk detail; Free and P1 see only a generic label
  • Workload identities are scored separately and cannot self-remediate
  • Remediate a risky workload identity by rotating credentials to certificates
  • Managed identities are out of scope for ID Protection risk
  • Risk-based Conditional Access for service principals needs Workload Identities Premium
  • Always exclude break-glass and service accounts from risk policies
  • Confirm compromised and confirm safe train the risk engine

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://learn.microsoft.com/en-us/entra/id-protection/concept-risk-detection-types
  2. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
  3. https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection
  4. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies
  5. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
  6. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock
  7. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-graph-api
  8. https://learn.microsoft.com/en-us/entra/id-protection/howto-export-risk-data
  9. https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk