Cybersecurity

How to Set Up Entra ID Identity Protection

Published 7 October 2025 · 8 min read

Microsoft Entra ID Identity Protection uses machine learning to detect sign-in risks and user risks in real time. When a risky sign-in is detected, Identity Protection can automatically require MFA, force a password reset, or block access - without admin intervention.

How Identity Protection works

Entra ID analyses every sign-in against signals from Microsoft threat intelligence - leaked credentials, anonymous IPs, unfamiliar properties, impossible travel. It assigns a risk level (Low, Medium, High) and your policies decide what to do.

Requires Entra ID P2 (Microsoft 365 E5 or Entra ID P2 add-on).

Configure sign-in risk policy

Entra ID → Security → Identity Protection → Sign-in risk policy
⚙️
Sign-in risk policy settings
Sign-in risk levelStart with Medium - Low risk generates noise
Medium and above
AccessRequire MFA for risky sign-ins rather than blocking
Require MFA
Policy enforcement
On
💡
Start with Medium risk
Setting to Low generates too many false positives. Medium and High catches genuine threats without too much disruption.

Configure user risk policy

Entra ID → Security → Identity Protection → User risk policy
⚙️
User risk policy settings
User risk levelHigh = likely compromised - force password reset
High
AccessBlocks until user changes password
Require password change via SSPR
Policy enforcement
On

Risk detections

Identity Protection → Risk detections
📊
Common risk detections
Anonymous IP addressMay be legitimate remote worker
Sign-in from Tor or VPN
Atypical travelHigh accuracy
Two locations impossible to travel between
Leaked credentialsAlways investigate immediately
Found in public data breach
Password spray
Failed attempts across many accounts

Investigating and remediating

Identity Protection → Risky users → select user

If genuine compromise: Block sign-in, Reset password, Revoke sessions, Review what account accessed during compromise period, Confirm compromised in Identity Protection.

Frequently Asked Questions

Q: Does Identity Protection work without Conditional Access?

Partially. Identity Protection can detect risks without CA. But automated remediation requires Conditional Access risk-based policies.

Q: What happens to a High risk user?

If you have a user risk policy configured, High risk users are blocked until they complete a password reset via SSPR.

Q: Can I test Identity Protection?

Yes. Sign in with a test account via the Tor Browser - this generates an Anonymous IP detection within minutes.

Related Guides
-> Audit Sign-In Logs-> Conditional Access-> Why MFA Matters
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages