How to Detect and Block Identity Threats in Microsoft 365 Using Entra ID Protection?

By Anjali Aravind April 20, 2026
Detect and block identity threats in Microsoft 365 using Entra ID Protection

User accounts are the most targeted entry point in Microsoft 365. Attackers sign in using stolen credentials, accessed accounts, or unusual sign-in activity that may go unnoticed without proper controls.

Microsoft Entra ID Protection monitors every sign-in and user account, evaluates activity based on threat signals, and takes action before access is allowed.

This guide covers setup steps and how to detect and block account-related threats in Microsoft 365.

Microsoft Entra ID Protection in Microsoft 365

Microsoft Entra ID Protection is a security feature available in Microsoft 365 E5 and Entra ID P2 plans. It monitors sign-in activity and user behaviour, using Microsoft’s threat data and analysis to identify suspicious patterns early.

MFA confirms a user’s identity during sign-in. Entra ID Protection adds further checks by reviewing how and where the sign-in happens, and whether the account shows signs of being accessed by someone else over time.

It tracks two types of risk:

Risk Type What it detects Example
Sign-In Risk A specific sign-in attempt appears unusual Login from an anonymous IP or an unfamiliar location
User Risk A user account shows signs of unauthorized access over time Credentials found in a known data leak


Licensing Requirements

Microsoft Entra ID Protection is available with Microsoft 365 E5 or Entra ID P2. Organizations using Business Premium or E3 do not have access to risk-based policies.

If you are on Business Premium, you can still use location-based and device-based Conditional Access Policies, as covered in How to Restrict Microsoft 365 Access by Location, Device and Risk Using Conditional Access Policies. However, automatic detection of sign-in and user risk requires upgrading to E5.

Microsoft Entra ID Protection in Microsoft 365 Common Risk Signals Tracked by Entra ID Protection

Entra ID Protection identifies different types of suspicious sign-in activity. Knowing these signals makes it easier to read reports and respond correctly.
Risk Signal Details
Leaked credentials User password found in a known breach database or dark web source
Impossible travel Sign-in from India, then from the US within a short time
Anonymous IP address Sign-in from a known VPN, proxy, or Tor exit node
Malware-linked IP Sign-in from an IP connected to botnet or malware activity
Password spray Multiple failed attempts across many accounts from a single IP
Unfamiliar sign-in properties Sign-in from a new device, browser, or location not seen before for the account

Expert Tip: Password spray attacks often go unnoticed because they use a small number of attempts per account. Entra ID Protection identifies this pattern across multiple accounts, not just a single user.

Step 1: Access the Entra ID Protection Dashboard

Go to:entra.microsoft.com → Protection → Identity Protection

The dashboard shows an overview of current activity, including:
  • Number of users marked as risky
  • Recent risky sign-ins
  • Active risk detections
  • Recommendations based on your tenant activity
Review this dashboard regularly. It highlights threats that are not visible in standard sign-in logs.


Step 2: Sign-In Risk Policy Setup

A sign-in risk policy responds to suspicious individual sign-in attempts. When a sign-in is marked as medium or high risk, the policy requires MFA or blocks access before the session starts.

Go to:Protection → Identity Protection → Sign-in risk policy

Setting Details
Users All users (exclude emergency access account)
Sign-in risk level Medium and above
Access control Require multi-factor authentication
Policy enforcement Enabled

Expert Tip: Start with Medium and above instead of only High. High-risk sign-ins are less frequent, and this setting gives more visibility into flagged activity. Review activity for two weeks before adjusting.

This policy is applied through Conditional Access. The sign-in risk condition in Conditional Access Policies uses risk levels from Entra ID Protection. Both must be set for automatic response to apply correctly.


Step 3: User Risk Policy Setup

User risk is different from sign-in risk. It is based on activity linked to the account, such as leaked credentials or repeated suspicious actions. A high user risk means the account may be used by someone else, not just a single unusual sign-in.

Go to:Protection → Identity Protection → User risk policy

Setting Details
Users All users (exclude emergency access account)
User risk level High
Access control Allow access, require password change
Policy enforcement Enabled
When triggered, the user must complete MFA and reset their password before access is restored. This removes the risk status without manual steps from IT.

Expert Tip: Before enabling this policy, set up Self-Service Password Reset (SSPR). Without SSPR, users flagged by this policy cannot reset their password on their own and will need IT support for each case.


Step 4: Enable Self-Service Password Reset (SSPR)

Go to:entra.microsoft.com → Protection → Password reset

Setting Details
SSPR enabled for All users
Authentication methods Mobile app notification, email, mobile phone
Registration Require users to register at next sign-in
Re-confirm authentication info Every 180 days

SSPR is required for user risk policies. Without it, users flagged for password reset cannot complete the process on their own, which leads to repeated IT support requests.

Step 5: Review Identity Protection Reports

After enabling these policies, review the following reports regularly.

Go to:entra.microsoft.com → Protection → Identity Protection 

• Risky sign-ins report – Shows sign-ins marked with a risk level and the reason. Use this to confirm your sign-in risk policy is triggering correctly and to review individual events. For email-related threats, review this along with your Mail Flow Rules to identify patterns.

Risky users report – Shows user accounts currently marked as at risk. From here, you can dismiss the risk, confirm account misuse, or require a password reset if needed.

• Risk detections report – Shows each signal detected, such as leaked credentials or unusual travel events. This provides a detailed view of detected activity.

Expert Tip: When a risk is flagged, do not dismiss it immediately. Check the user, location, device, and timing before taking action. Removing a real threat without review can leave the account unprotected.

How Entra ID Protection Connects With Conditional Access

Entra ID Protection and Conditional Access are used together. Entra ID Protection identifies risk and assigns a level. Conditional Access uses that level to decide the response.
Tool Purpose
Entra ID Protection Identifies risk signals and assigns risk levels to sign-ins and users
Conditional Access Uses those risk levels to require MFA, block access, or require a password reset
If risk-based Conditional Access Policies are already set, Entra ID Protection provides the risk data behind them. Without it enabled and configured correctly, those conditions will not trigger.

Microsoft 365 Identity Security with Netstager Technologies

Entra ID Protection needs correct setup and regular review. Missing SSPR setup, incorrect risk levels, or unreviewed risky user reports can leave gaps even when policies are active.

Netstager Technologies, an authorized Microsoft 365 partner in Kerala, manages identity protection setup including Entra ID Protection configuration, risk policy setup, SSPR setup, Conditional Access connection, and ongoing report review.

Our Identity Protection Services Include

Identity Security Assessment
Review of your Microsoft 365 tenant, licensing, existing policies, and gaps before new policies are created.
Entra ID Protection Setup
Setup of sign-in risk and user risk policies based on your user groups and Microsoft 365 plan.
SSPR Setup
Setup and testing of Self-Service Password Reset to support password reset during risk events.
Conditional Access Connection
Make sure risk-based Conditional Access Policies use Entra ID Protection signals correctly.
Ongoing Monitoring
Regular review of risky sign-ins, risky users, and risk detection reports, with action based on findings.

To start, migrate, or maintain your Microsoft 365 setup, connect with Netstager Technologies.

 

+91 844 844 0112