Microsoft’s Identity Protection provides risk-based detections and automated policies—not group management. Microsoft Learn explains that Identity Protection “uses detections to identify potential vulnerabilities affecting your organization’s identities” and exposes user risk and sign-in risk for policy decisions. It does not support adding users to groups by “risk level”; group membership is handled by static or dynamic rules based on directory attributes, while risk is a transient signal surfaced to policies.
Identity Protection includes specific detections such as “Leaked credentials”, where Microsoft’s threat intelligence finds credentials “on the dark web or other dumps,” and flags the affected account as risky. This directly confirms the ability to detect whether credentials have been exposed publicly.
For enforcement, Identity Protection policies and Conditional Access can require stronger authentication when risk is present. The documentation states that you can configure policies to “require multi-factor authentication for sign-ins assessed as risky” and use Conditional Access conditions like User risk or Sign-in risk with the grant control Require multi-factor authentication. Thus, Identity Protection signals can invoke MFA based on risk, but they do not place users into groups.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit