Microsoft describes Identity Protection as a capability that “detects risky users and risky sign-ins using real-time and offline detections and allows you to configure automated responses.” Microsoft is explicit that detections aren’t limited to after authentication; rather, signals are evaluated during sign-in and also by offline analytics, where “some detections are offline and can take up to 48 hours to appear.” Therefore, saying it only “generates risk detections once a user is authenticated” is incorrect.
For risk scoring, Microsoft states that Identity Protection “assigns a risk level to each detection,” and that “risk levels are Low, Medium, or High,” which are then used by user-risk and sign-in-risk policies to drive remediation (for example, requiring password change or MFA).
Microsoft also defines the two core risk concepts: “User risk represents the probability that a given identity or account is compromised,” while “Sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.” These definitions underpin Conditional Access and Identity Protection policies that can require additional verification or block access based on the assessed risk.
Taken together, the documentation confirms: detections are not restricted to post-authentication (No), detections carry Low/Medium/High levels (Yes), and user risk is the probability the identity is compromised (Yes).
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit