The security in Microsoft 365 is one of the main concerns for modern organizations. Brute‑force attacks, compromised credentials, or failures in multifactor authentication can go unnoticed… until it’s too late.
Fortunately, Microsoft provides advanced tools that help us stay ahead of potential incidents. One of the most useful is the at‑risk users feature in Microsoft 365, integrated within Microsoft Entra ID. In this article, we explain in a clear and practical way how it works, what information it provides, and how you can use it to detect potential attacks and strengthen your organization’s security.
What are at‑risk users in Microsoft Entra ID?
At‑risk users are accounts that Microsoft identifies as potentially compromised based on anomalous sign‑in behavior.
Microsoft Entra ID (formerly Azure Active Directory) analyzes millions of daily signals using artificial intelligence and classifies users according to thei level of risk.
Why is it important to review these users?
Because it allows you to:
- Detect attack attempts before they succeed
- Identify configuration issues in MFA or authentication tokens
- Reduce the impact of compromised credentials
- Act proactively instead of reactively
In other words, it is a key tool in any cybersecurity strategy within Microsoft 365.
Main causes of user risk in Microsoft 365
Microsoft may flag a user as “at risk” for several reasons. The most common include:
Suspicious sign‑in attempts
For example:
- Sign‑ins from unusual locations
- Multiple failed authentication attempts
- Automated sign‑ins (possible bots)
Authentication token issues
- Expired tokens
- Incorrectly reused tokens
- Sessions that do not match the user’s normal behavior
Multifactor authentication (MFA) failures
- Misconfigured MFA
- Invalid verification methods
- Repeated denials of the second factor
Important: Not all risks indicate a real attack. False positives can occur, but they should always be investigated.
How to access the at‑risk users view in Microsoft 365
To analyze this information, you need to access the Microsoft Entra ID Admin Center:
- Go to the Microsoft 365 Admin Center
- Navigate to Identity (Microsoft Entra ID)
- Go to Protection > Risky users
Here you will see a list of users who have recently been classified with some level of risk.
Risk levels: low, medium, and high
Microsoft classifies users based on the severity of the detected behavior:
Low risk
- Slightly unusual activities
- Possible user mistakes
- Often associated with false positives
Medium risk
- Anomalous sign‑in patterns
- Repeated authentication failures
- Recommended to review as soon as possible
High risk
- High probability of compromise
- Possible active attack or leaked credentials
- Requires immediate action
Analyzing risky sign‑ins step by step
In addition to user risk, Microsoft Entra ID also allows you to analyze risky sign‑ins.
What information can you view?
- Date and time of the attempt
- Origin location
- Type of detected risk
- Sign‑in result
By filtering by date range, you can identify whether:
- It is an ongoing attack
- It is an isolated failed attempt
- It is a recurring configuration issue
This analysis is essential to decide whether you should block an account, force a password reset, or adjust your security policies..
Best practices to reduce at‑risk users
Some practical recommendations we suggest at ABD:
- Enable mandatory MFA for all users.
- Review at‑risk users and risky sign‑ins regularly.
- Apply conditional access policies.
- Train users on security and phishing awareness.
- Work with a specialized Microsoft 365 partner.
According to Microsoft, organizations with properly configured MFA can reduce account‑compromise risk by up to 99%.
Prevention starts with visibility
The at‑risk users feature in Microsoft 365 is not only useful for responding to incidents, but also for anticipating them. Having visibility into suspicious behavior allows you to make informed decisions and better protect your digital environment.
If you’re not reviewing this information regularly, you’re missing out on one of the most powerful security tools already included in Microsoft 365.
ABD, your Microsoft Gold Partner
Do you want to know whether your organization has at‑risk users or if your security configuration is properly set up?
Get in touch with ABD Consulting and we’ll help you analyze, protect, and optimize your Microsoft 365 environment using industry‑leading security best practices.