A New Face for Risky User Management in Microsoft Entra

-

You may be familiar with the classic interface that Microsoft Entra once provided to enable administrators and responders the ability to view risky users. In June 2026, this feature got a major upgrade that I am very excited to share with you. The new Risky Users experience in Microsoft Entra provides a fresh new look to gaining visibility into users at risk, and more information that will enable responders to make the best decision.

So what is the Risky Users experience?

For those who are not familiar, Microsoft Entra analyzes and processes billions of sign-in signals from many different tenants. These signals help to build a greater picture of the threats that organizations face, and your organization is no different. Risky Users is a part of a much broader suite of tools in Microsoft Entra called: ID Protection. Through this suite, responders and analysts are able to understand as well as remediate accounts, sign-ins, and now AI Agents that may be susceptible to compromise.

In particular, Risky Users focuses on protecting the individual account from common along with sophisticated attacks that can result in an account compromise. It analyzes signals from sign-in to sign-out and based on said signals, it can rate a user's account accordingly. Should the account be indicated as compromised, or have a risk level, remediations can take place to secure the account and prevent further escalation or movement, stopping attackers in their tracks. Traditionally, this view was pretty limited in terms of what could be achieved. Now, the experience becomes much more intuitive.

What Has Changed?

Not only has the Risky Users experience received a facelift, but it has gained more actionable intelligence for administrators to take advantage of. One thing that really stands out to me is the updated metrics panel. When users first access the Risky Users experience, they're met with a great dashboard which provides metrics as well as a table of detections. From here, they can select a detection, and remediate it as required:

If you click into the user's name, you are then met with even more options. One that stands out the most is the ability to view a timeline of events and aggregate that data to see what's been going on. This removes the traditional requirement to have to sift through sign-in logs and the like to build a sequence of events. For example, my test user Aiden can be seen logging in from the US which Entra has detected as unusual for him:

Pretty cool right? From here, we can also see the score that was assigned to the identity and we are also given the same options to remediate as per the last image. In addition to this, administrators are also given the option to view the user's sign-in logs, risky sign-ins, as well as investigate in Defender. Pretty cool right?

Can I Use This?

Great news- if you have ID Protection in your tenant, you can start to use this refreshed interface. Albeit it isn't a whole lot, it can make a world of difference when you're in the heat of the moment trying to remediate a potential user compromise. It also helps to see a timeline that gives administrators the ability to see the sequence of events leading up to the incident, without having to sift through logs.

Have you used this new layout yet? If so, let me know your thoughts and feedback. I'd love to chat further about what experiences you've had so far and get your perspective.

See you next week admins!


Comments

Post a Comment

Popular posts from this blog

Using Power Automate to Update Contact Information

-
 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

-
Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

-
Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more