Microsoft Entra ID · Identity Protection

Identity Protection Administrator

Can manage Identity Protection policies, investigate and remediate risky users and sign-ins, and configure risk-based policies. Requires Microsoft Entra ID P2 license.

Scope: Full Identity Protection management including policies, investigation, and remediation

Permissions

  • IDP Data - Read all Identity Protection data
  • IDP Settings - Update Identity Protection settings
  • Risk Policies - Configure user risk and sign-in risk policies
  • Risky Users - Review and remediate risky users
  • User Compromise - Confirm user compromise
  • Risk Dismissal - Dismiss user risk
  • Risk Investigation - Investigate risk detections
  • CA Integration - Configure risk-based Conditional Access policies
  • Reports - View Identity Protection reports and dashboards
  • Workload Identity - Access risky workload identities
  • Sign-in Risk - Review sign-in risk detections
  • Data Export - Export risk data for analysis

Common use cases

  • Configuring user and sign-in risk policies
  • Investigating potentially compromised accounts
  • Managing risky user remediation workflows
  • Risk detection analysis and triage
  • Automated risk response configuration
  • Risk-based Conditional Access policy tuning
  • Workload identity risk management
  • Risk trend analysis and reporting
  • Compliance reporting for identity risks

Best practices

  • Configure alerts for high-risk detections
  • Review risky users at least weekly
  • Integrate with incident response procedures
  • Document risk remediation decisions
  • Tune risk policies based on organizational patterns
  • Coordinate with Conditional Access Administrator
  • Use risk-based policies in addition to static policies
  • Monitor for false positives and adjust thresholds
  • Export data for SIEM integration
  • Consider automated remediation for low-risk scenarios
  • Review workload identity risks separately

Security considerations

  • Can dismiss risks potentially hiding actual compromises
  • Risk policy changes affect all users immediately
  • Misconfigured policies can cause lockouts or over-permissive access
  • Audit all risk dismissal and confirmation actions
  • Monitor for bulk risk dismissals
  • Coordinate dismissals with incident response
  • Consider PIM for just-in-time access
  • Alert on risk policy changes

Official Microsoft Learn documentation →

Open the interactive RBACMap →