Introduction to Azure AD Identity Protection
Introduction to Azure AD Identity Protection

This course will provide you with an understanding of what Azure Identity Protection is, what it does, and how to implement identity protection policies.

Learning Objectives

  • Understand what Azure Identity Protection is, what it does, and what it consists of
  • Learn about the different identity protection policies that are available and what they do
  • Learn how to configure an Azure identity protection policy

Intended Audience

This course is intended for anyone who wishes to learn about Azure Identity Protection.


To get the most out of this course, you should have a basic understanding of Azure Active Directory.


Hello and welcome to Azure Identity Protection. In this lesson, we’ll take a look at what it is and what it does.

Azure Identity Protection is used to automatically detect identity-based risks and to help automate remediation of those risks. You can use it to investigate identity-based risks, using data in the portal, AND you can use it to export risk detection data to a third-party SIEM.

Signals picked up by Identity Protection can also be forwarded to other Azure services, like Conditional Access, for example. Doing this allows Conditional Access to make access decisions that are based on the risk signals generated by Identity Protection. This automation helps organizations pick up on risks much quicker and it helps remediate those risks far more quickly than a manual intervention could.

Identity Protection can identify all kinds of identity-centric risks, including those that you see on your screen.

It can identify others as well, but these are the most common.

When Identity Protection detects a risk, remediation actions can be automatically triggered. For example, Identity Protection can automatically force a user to perform Multi-Factor Authentication, or maybe reset their password using SSPR, or you can even automatically block the user until an admin investigates and takes action.

When investigating detections that are picked up by Identity Protection, you can leverage three different reports to assist you in your efforts. You can leverage the Risky Users report, the Risky Sign-Ins report, and the Risk Detections report.

The Risky Users Report allows you to determine users that have been deemed risky, it allows you to view users who have had risk remediated, and those who have had a risk dismissed.

The Risky Sign-ins Report contains up to 30 days’ worth of data that’s filterable. You can use this report to identify sign-ins that have been classified as at risk, confirmed compromised, confirmed safe, dismissed, or remediated.

And then you have the Risk Detections Report. This report contains up to three months’ worth of filterable data that can be used to find information about all risk detections, including other risks triggered at the same time, and even the locations where sign-in attempts have come from.

Let’s talk a little bit about risk levels, now. When Azure Identity Protection identifies a risk, it categorizes is into one of three tiers. You have the low, medium, and high tiers. Each tier represents a higher confidence level in a risk that’s been assigned to that tier. In other words, there is higher confidence in a risk being an actual risk if it is categorized as a high risk rather than a medium risk. The same goes for a risk categorized as medium versus low. This means that, while there may be some low risks that aren’t really risks at all, those that are categorized as high risks should raise all kinds of red flags, because confidence is high that those risks are, indeed, high risks that need to be addressed.

Now, before we wrap up this lesson, I just want to touch on permissions and licensing as they relate to Azure Identity Protection. More specifically, I want to point out that you need to be a Security Reader, a Security Operator, a Security Administrator, a Global Reader, or a Global Administrator to access Azure Identity Protection. The role you are assigned will determine what specific actions you can take with it.


The table on your screen breaks them down.

As far as licensing goes, I just want to mention that, while you can get a little bit of Azure Identity Protection reporting if you have an Azure AD Premium P1 license, to really do anything meaningful with Azure Identity Protection, you need to possess an Azure AD Premium P2 license. 


So, with that, join me in the next lesson, where we’ll take a look at the different Identity Protection Policies that are available.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.