---
name: Risky Users and Sign-Ins Summary
description: "Summarise Microsoft Entra ID Protection risk detections: leaked credentials, impossible travel and password spray, with remediation paths."
---

# Risky Users and Sign-Ins Summary

> **TL;DR:** This skill reads Microsoft Entra ID Protection risk detections across your tenant and produces a ranked summary of risky users and risky sign-ins, with the risk level, detection type and a clear remediation path so you can prioritise the most dangerous identities first.

## What does Microsoft Entra ID Protection detect?

Microsoft Entra ID Protection analyses sign-in and user signals to surface identity-based threats such as leaked credentials, impossible travel, atypical travel, password spray, anonymous IP usage and malware-linked addresses. Each signal contributes to a calculated risk level (low, medium or high) for both the sign-in event and the user. This skill consolidates those detections so security teams can act, ideally alongside Conditional Access policies that enforce step-up authentication or block access when risk is detected.

## When should you run this skill?

- "Show me all high-risk users in Microsoft Entra right now."
- "Which accounts triggered leaked credential detections this week?"
- "Summarise impossible travel and atypical travel sign-ins for the security review."
- "Has anyone been hit by a password spray attack recently?"
- "Give me a prioritised list of risky sign-ins I need to investigate today."
- "Which risky users are still unremediated and need a password reset?"
- "Prepare an identity risk summary for the monthly compliance report."

## How this skill works, step by step

1. Authenticate read-only to Microsoft Graph using delegated permissions scoped to identity risk data.
2. Retrieve the current risky users collection, including each user's aggregate risk level and risk state.
3. Retrieve recent risky sign-in events with their associated detection types, locations and client details.
4. Retrieve individual risk detections (for example leaked credentials, impossible travel, password spray) and map each to its parent user.
5. Derive a prioritised ranking by combining the user risk level, the most severe detection type and whether the risk is still active or already remediated.
6. Group detections per user so repeated signals are visible at a glance.
7. Match each detection type to a recommended remediation path, such as forcing a secure password reset, requiring multifactor authentication or confirming the sign-in as safe or compromised.
8. Compile the findings into a summary table and a short narrative of the highest-priority items.

## Output format

The skill returns a ranked table of risky identities followed by a short summary.

| User | Risk Level | Detection Type | Risk State | Remediation Path |
| --- | --- | --- | --- | --- |
| `jordan.lee@contoso.com` | High | Leaked credentials | At risk | Force secure password reset and revoke sessions |
| `priya.nair@contoso.com` | Medium | Impossible travel | At risk | Require MFA and confirm sign-in as safe or compromised |
| `sam.okoro@contoso.com` | Low | Password spray | Remediated | Monitor; password already reset and MFA enforced |

Summary highlights:

- Total risky users grouped by risk level (high, medium, low).
- Count of unremediated detections requiring immediate action.
- Most frequent detection type observed across the tenant.
- Users with multiple concurrent detections flagged for priority investigation.

## Scope and safety

This skill is read-only by default and makes no changes to your tenant, users or policies. It only inspects and reports on existing Microsoft Entra ID Protection risk data.

This skill does NOT:

- Reset passwords, block accounts or revoke sessions.
- Create, modify or delete Conditional Access policies.
- Dismiss, confirm or otherwise alter the risk state of any user or sign-in.
- Change any Microsoft Entra ID Protection configuration or detection settings.

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Microsoft Entra ID Protection risky users and risky sign-ins | Microsoft Entra ID P2 |
| Risk-based Conditional Access for step-up or block (optional follow-up) | Microsoft Entra ID P2 |

### Least-privilege roles

- Security Reader — read-only visibility of ID Protection risky users, risky sign-ins and risk detections.
- Global Reader — broad read-only access where a tenant-wide reader role is preferred.

### Microsoft Graph permissions (read-only)

- `IdentityRiskyUser.Read.All` — reads the risky users collection, including each user's aggregate risk level and risk state.
- `IdentityRiskEvent.Read.All` — reads risk detections and risky sign-in events, such as leaked credentials, impossible travel and password spray.

## Sources and compliance

- [Microsoft Entra ID Protection overview](https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection)
- [Investigate risk with Microsoft Entra ID Protection](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk)
- Supports the Multi-factor authentication control of the [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model), helping verify that risky sign-ins are met with step-up authentication.
- Aligns with ISM monitoring and event logging guidance by surfacing identity risk detections for review.
- Output in Australian English.