Evaluating the risk of a user in Microsoft Entra is something that Microsoft handles quite intelligently. For example, if a user reports a notification on the Microsoft Authenticator app as not being the one who requested it, their identity will be marked as high risk, as to get as far as an MFA notification, the correct password must have been entered. On the other hand, a series of unexpected actions on a user account could indicate malicious intent, which would result in a low-risk evaluation.
You may want to know exactly when a user in your organisation is marked as medium or high-risk so you can take further manual action beyond what can be (or what you would want to be) achieve automatically. In this tutorial, I am going to show you how to configure user risk reports in Microsoft Entra using the admin portal and using Microsoft Graph PowerShell.
What are user risk detection alerts in Microsoft Entra?
User risk reports are simple alert emails that you can configure to send to a specific address when a user’s risk level reaches a specified threshold, the threshold being either; low-risk, medium-risk or high-risk.
The reports are fairly basic, they will show are from [email protected] with the subject line User at risk detected. No detailed information is provided in the report, other than the following exact text:
“We detected a new user with at least medium risk in your TenantName directory. This might be because we noticed suspicious account activity or we found their emails and passwords posted in a public location.”
Here is an example of a user risk detection email:
As you can see, the email is fairly generic and the View detailed report link will simply take you to the Risky users blade in the Microsoft Entra admin center.
Why enable user risk detection alerts?
User risk detection alert emails are a great way for administrators and security teams to stay current with active threats towards users in their organisation.
As well as this, one more practical reason to use these email alerts is that Microsoft is forever improving default security controls to help prevent common attack methods against users, such as various social engineering attacks or fatigue attacks.
For example, users who have the Microsoft Authenticator app configured, or use Phone-base sign-in as their primary multi-factor authentication method, are still susceptible to social engineering attacks designed to trick them into approving a malicious multi-factor authentication challenge.
Currently, the default behaviour for any multi-factor authentication challenge that originates from an unknown source (IP address) is that it will be suppressed on the user’s devices, causing the user to have to manually open the authenticator app to approve the request. While this isn’t a major issue, if a user attempted a logon they would be expecting to open the app anyway, this does mean that the attacker has the user’s password, while the suppression of the notification reduces the chance of this initial breach being actively reported to IT.
User risk detection alert reports help to tackle this problem by alerting IT of the suspected breach, allowing them to immediately investigate and intervene manually.
How to enable user risk detection alerts in Microsoft Entra
The easiest way to enable user risk detection alerts is to use the Microsoft Entra admin center. Follow the below steps to enable and configure this feature:
2. Expand Protection and select Identity Protection > Users at risk detected alerts.
3. You will see a list of privileged users which can be enabled or disabled. You also have the option to add a custom email address to the recipient’s list. Select your desired destination addresses and configure the user risk level (I recommend setting this to Medium) and click Save.
Enable user risk detection alerts using Microsoft Graph PowerShell
If you would like to enable user risk alerts using Microsoft Graph PowerShell, use the following code which takes advantage of the Invoke-MgGraphRequest cmdlet:
Check out my complete tutorial for the powerful Invoke-MgGraphRequest cmdlet: https://ourcloudnetwork.com/how-to-use-invoke-mggraphrequest-with-powershell/
When you copy the below code, ensure you modify the following fields with your own preferences:
- “minRiskLevel”: “low/medium/high”
- “email”: “destination-email-address”
Connect-MgGraph -Scopes IdentityRiskEvent.ReadWrite.All
$uri = "https://graph.microsoft.com/beta/identityProtection/settings/notifications"
$body = @'
{
"minRiskLevel": "low/medium/high",
"isWeeklyDigestEnabled": true,
"additionalRecipients": [
{
"email": "destination-email-address",
"isRiskyUsersAlertsRecipient": true
}
]
}
'@
Invoke-MgGraphRequest -uri $uri -body $body -method PATCH -ContentType "application/json"
Ensure you use the IdentityRiskEvent.ReadWrite.All permission when using PATCH method on the “https://graph.microsoft.com/beta/identityProtection/settings/notifications” endpoint. This endpoint does not return any permissions through the Microsoft Graph Explorer tool or while using Find-MgGraphCommand, which is helpful to remember.