Microsoft Entra ID · Identity Protection
Identity Protection Administration
Responsibility profile, not a standalone Microsoft Entra role. Identity Protection administration is split across Security Administrator, Security Operator, Security Reader, and Conditional Access Administrator.
Scope: Combined Identity Protection responsibilities spanning multiple assignable Microsoft Entra roles
Permissions
- IDP Data - Read all Identity Protection data
- IDP Settings - Update Identity Protection settings
- Risk Policies - Configure user risk and sign-in risk policies
- Risky Users - Review and remediate risky users
- User Compromise - Confirm user compromise
- Risk Dismissal - Dismiss user risk
- Risk Investigation - Investigate risk detections
- CA Integration - Configure risk-based Conditional Access policies
- Reports - View Identity Protection reports and dashboards
- Workload Identity - Access risky workload identities
- Sign-in Risk - Review sign-in risk detections
- Data Export - Export risk data for analysis
Common use cases
- Configuring user and sign-in risk policies
- Investigating potentially compromised accounts
- Managing risky user remediation workflows
- Risk detection analysis and triage
- Automated risk response configuration
- Risk-based Conditional Access policy tuning
- Workload identity risk management
- Risk trend analysis and reporting
- Compliance reporting for identity risks
Best practices
- Configure alerts for high-risk detections
- Review risky users at least weekly
- Integrate with incident response procedures
- Document risk remediation decisions
- Tune risk policies based on organizational patterns
- Coordinate with Conditional Access Administrator
- Use risk-based policies in addition to static policies
- Monitor for false positives and adjust thresholds
- Export data for SIEM integration
- Consider automated remediation for low-risk scenarios
- Review workload identity risks separately
Security considerations
- Can dismiss risks potentially hiding actual compromises
- Risk policy changes affect all users immediately
- Misconfigured policies can cause lockouts or over-permissive access
- Audit all risk dismissal and confirmation actions
- Monitor for bulk risk dismissals
- Coordinate dismissals with incident response
- Consider PIM for just-in-time access
- Alert on risk policy changes
Common questions
When should I assign the Identity Protection Administration role?
Assign Identity Protection Administration when you need to: Configuring user and sign-in risk policies; Investigating potentially compromised accounts; Managing risky user remediation workflows; Risk detection analysis and triage; and Automated risk response configuration. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Identity Protection Administration role do?
The Identity Protection Administration role grants permissions including: IDP Data - Read all Identity Protection data; IDP Settings - Update Identity Protection settings; Risk Policies - Configure user risk and sign-in risk policies; Risky Users - Review and remediate risky users; User Compromise - Confirm user compromise; and Risk Dismissal - Dismiss user risk. See the Permissions section above for the full list.
What are the security risks of the Identity Protection Administration role?
Key considerations when assigning Identity Protection Administration: Can dismiss risks potentially hiding actual compromises; Risk policy changes affect all users immediately; Misconfigured policies can cause lockouts or over-permissive access; and Audit all risk dismissal and confirmation actions. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.