Microsoft Entra ID Protection

5 minutes 5 Questions

Microsoft Entra ID Protection is a security feature within Microsoft Entra (formerly Azure Active Directory) that helps organizations detect, investigate, and remediate identity-based risks. It leverages Microsoft's vast experience in analyzing trillions of signals daily to identify and address pot…

Microsoft Entra ID Protection: A Complete Guide for SC-900

Why Is Microsoft Entra ID Protection Important?

In today's threat landscape, identity is the new security perimeter. Attackers constantly target user credentials through phishing, brute-force attacks, password spray, and credential stuffing. Organizations need an automated, intelligent way to detect, investigate, and remediate identity-based risks before they result in a breach. Microsoft Entra ID Protection addresses this critical need by leveraging Microsoft's vast threat intelligence — gathered from trillions of signals across its ecosystem — to proactively protect user identities and organizational resources.

Without a solution like ID Protection, security teams would need to manually monitor sign-in logs, correlate suspicious activity, and respond to threats — a process that is far too slow for modern attacks. ID Protection automates this entire lifecycle, making it an essential component of any Zero Trust security strategy.

What Is Microsoft Entra ID Protection?

Microsoft Entra ID Protection is a cloud-based security service within Microsoft Entra (formerly Azure Active Directory) that helps organizations:

• Detect identity-based risks using machine learning and heuristic analysis
• Investigate detected risks through comprehensive reporting and dashboards
• Remediate risks automatically or through administrator-defined policies

ID Protection works by analyzing every authentication attempt and user behavior to assign a risk level (low, medium, or high) to both users and sign-ins. These risk signals can then be used to enforce conditional access policies that block access, require multi-factor authentication (MFA), or require a password change.

Key Concepts in Microsoft Entra ID Protection

1. Risk Types

ID Protection evaluates two categories of risk:

a) User Risk:
User risk represents the probability that a user's identity or account has been compromised. This is calculated based on offline analysis. Examples include:
• Leaked credentials — Microsoft detects that a user's credentials have appeared on the dark web or in a public data breach
• Azure AD Threat Intelligence — Microsoft's internal and external threat intelligence sources indicate the user account is compromised
• Anomalous user activity — unusual patterns that suggest account takeover

b) Sign-in Risk:
Sign-in risk represents the probability that a specific authentication request is not authorized by the identity owner. This is evaluated in real-time. Examples include:
• Anonymous IP address — sign-in from an anonymous proxy or Tor network
• Atypical travel — sign-in from a geographically distant location that is impossible given the time between sign-ins (also called impossible travel)
• Malware-linked IP address — sign-in from an IP address known to be associated with malware
• Unfamiliar sign-in properties — sign-in with properties (device, location, network) not seen recently for the user
• Password spray — multiple accounts targeted with common passwords
• Token anomaly — unusual token characteristics detected
• Azure AD Threat Intelligence — sign-in activity matching known attack patterns

2. Risk Levels

Each detected risk is assigned a level:
• High — strong confidence that the identity or sign-in is compromised
• Medium — moderate confidence of compromise
• Low — lower confidence, but still suspicious activity
• None — no risk detected

3. Risk-Based Conditional Access Policies

The real power of ID Protection lies in its integration with Microsoft Entra Conditional Access. Organizations can create policies that respond automatically to risk signals:

User Risk Policy:
• Triggered when a user's overall risk level meets or exceeds a threshold
• Common action: Require password change (with MFA) to remediate the risk
• When a user changes their password, the user risk is automatically dismissed

Sign-in Risk Policy:
• Triggered when a specific sign-in is assessed as risky
• Common action: Require MFA to prove the sign-in is legitimate
• If the user successfully completes MFA, the sign-in risk is considered remediated

4. Reports and Investigation

Microsoft Entra ID Protection provides three key reports:
• Risky users — a list of users flagged as being at risk, with details on why
• Risky sign-ins — a list of sign-in events that were flagged as risky
• Risk detections — a comprehensive list of all individual risk detection events

Administrators can use these reports to investigate incidents, confirm or dismiss risks, and refine policies. You can also export data to a SIEM (such as Microsoft Sentinel) for deeper analysis.

5. Automatic Remediation vs. Manual Investigation

• Automatic remediation — Risk-based conditional access policies handle risks without admin intervention (e.g., forcing MFA or password reset)
• Manual remediation — Admins review reports, investigate alerts, and manually confirm or dismiss compromised users
• Self-remediation — Users can remediate their own risk by completing MFA or changing their password, if policies are configured to allow this

How Microsoft Entra ID Protection Works — The Workflow

1. A user attempts to sign in to a Microsoft Entra-protected resource
2. Microsoft Entra evaluates the sign-in using machine learning models and threat intelligence
3. A sign-in risk level is assigned in real-time; a user risk level is calculated offline and updated
4. Conditional Access policies evaluate the risk levels and determine the appropriate response
5. Based on the policy, the user may be: allowed access, required to complete MFA, required to change their password, or blocked entirely
6. Risk detections appear in the ID Protection reports for investigation
7. If the user successfully remediates (e.g., completes MFA, changes password), the risk state is updated

Licensing Requirements

• Basic risk detection and risky sign-in/user reports are available with Microsoft Entra ID P1 (formerly Azure AD Premium P1)
• Full ID Protection capabilities, including risk-based conditional access policies and detailed risk detections, require Microsoft Entra ID P2 (formerly Azure AD Premium P2)

This is an important distinction for the SC-900 exam.

Integration with Other Microsoft Security Services

Microsoft Entra ID Protection integrates with:
• Microsoft Entra Conditional Access — to enforce risk-based access policies
• Microsoft Sentinel — to forward risk data for advanced security analytics
• Microsoft Defender for Cloud Apps — for broader session monitoring
• Microsoft 365 Defender — to correlate identity risks with other threat signals

Exam Tips: Answering Questions on Microsoft Entra ID Protection

Here are critical tips to help you answer SC-900 exam questions about ID Protection accurately:

Tip 1: Know the Difference Between User Risk and Sign-in Risk
This is one of the most commonly tested concepts. User risk reflects the likelihood that the user's account is compromised (detected offline). Sign-in risk reflects the likelihood that a particular sign-in attempt is not legitimate (detected in real-time). If an exam question mentions leaked credentials, think user risk. If it mentions anonymous IP or atypical travel, think sign-in risk.

Tip 2: Remember the Remediation Actions
• User risk → Require password change (often combined with MFA)
• Sign-in risk → Require MFA
If a question asks what action to take for a compromised user, the answer is typically requiring a secure password change. For a suspicious sign-in, it is requiring MFA.

Tip 3: Understand That ID Protection Requires P2 Licensing for Full Features
Exam questions may ask about licensing. Remember that risk-based conditional access policies and the full ID Protection experience require Microsoft Entra ID P2. If a question mentions a Free or P1 license, full ID Protection features are not available.

Tip 4: Know the Three Reports
Be prepared for questions about what administrators can see. The three reports are: Risky users, Risky sign-ins, and Risk detections. Know what each one shows.

Tip 5: ID Protection Detects, Investigates, and Remediates
Microsoft often frames ID Protection around three pillars: detect, investigate, and remediate. If an exam question asks about the purpose or capabilities of ID Protection, look for answers that reference all three of these actions.

Tip 6: Risk Can Be Dismissed or Confirmed by Admins
Admins can manually confirm compromise, dismiss risk, or block a user from the reports. This is part of the investigation and remediation workflow. Questions may test whether you understand that admin intervention is possible alongside automated policies.

Tip 7: Integration with Conditional Access Is Key
ID Protection does not enforce policies on its own in the latest implementation. It provides risk signals, and Conditional Access policies are used to take action based on those signals. If a question asks how to enforce risk-based access controls, the answer involves Conditional Access, not ID Protection alone.

Tip 8: Watch for Impossible Travel and Anonymous IP Keywords
These are the most commonly referenced sign-in risk detections. If a scenario describes a user signing in from two distant locations within a short time, the answer relates to atypical/impossible travel — a sign-in risk detection.

Tip 9: Self-Remediation Is a Valid Concept
Users can remediate their own risk if the policy allows it (e.g., completing MFA to clear sign-in risk, or changing their password to clear user risk). This reduces the burden on administrators and is a valid answer choice in exam questions about remediation.

Tip 10: ID Protection Is Part of the Zero Trust Model
SC-900 emphasizes Zero Trust principles: verify explicitly, least privilege access, and assume breach. ID Protection supports the verify explicitly and assume breach principles by continuously evaluating risk and requiring additional verification when risk is detected. If a question links Zero Trust to identity protection, this is the connection to make.

Quick Summary for Exam Day

• Microsoft Entra ID Protection = automated identity risk detection, investigation, and remediation
• Two risk types: User risk (offline, account compromised) and Sign-in risk (real-time, suspicious sign-in)
• Three risk levels: High, Medium, Low
• Three reports: Risky users, Risky sign-ins, Risk detections
• Risk-based policies are enforced via Conditional Access
• User risk remediation = password change; Sign-in risk remediation = MFA
• Requires Microsoft Entra ID P2 for full functionality
• Supports Zero Trust by continuously evaluating identity risk

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Security, Compliance, and Identity Fundamentals + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3043 Superior-grade Microsoft Security, Compliance, and Identity Fundamentals practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-900: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Microsoft Entra ID Protection questions

45 questions (total)

Start 45 question test