Microsoft Entra ID · Identity Protection

Identity Protection Administration

Responsibility profile, not a standalone Microsoft Entra role. Identity Protection administration is split across Security Administrator, Security Operator, Security Reader, and Conditional Access Administrator.

Scope: Combined Identity Protection responsibilities spanning multiple assignable Microsoft Entra roles

Permissions

  • IDP Data - Read all Identity Protection data
  • IDP Settings - Update Identity Protection settings
  • Risk Policies - Configure user risk and sign-in risk policies
  • Risky Users - Review and remediate risky users
  • User Compromise - Confirm user compromise
  • Risk Dismissal - Dismiss user risk
  • Risk Investigation - Investigate risk detections
  • CA Integration - Configure risk-based Conditional Access policies
  • Reports - View Identity Protection reports and dashboards
  • Workload Identity - Access risky workload identities
  • Sign-in Risk - Review sign-in risk detections
  • Data Export - Export risk data for analysis

Common use cases

  • Configuring user and sign-in risk policies
  • Investigating potentially compromised accounts
  • Managing risky user remediation workflows
  • Risk detection analysis and triage
  • Automated risk response configuration
  • Risk-based Conditional Access policy tuning
  • Workload identity risk management
  • Risk trend analysis and reporting
  • Compliance reporting for identity risks

Best practices

  • Configure alerts for high-risk detections
  • Review risky users at least weekly
  • Integrate with incident response procedures
  • Document risk remediation decisions
  • Tune risk policies based on organizational patterns
  • Coordinate with Conditional Access Administrator
  • Use risk-based policies in addition to static policies
  • Monitor for false positives and adjust thresholds
  • Export data for SIEM integration
  • Consider automated remediation for low-risk scenarios
  • Review workload identity risks separately

Security considerations

  • Can dismiss risks potentially hiding actual compromises
  • Risk policy changes affect all users immediately
  • Misconfigured policies can cause lockouts or over-permissive access
  • Audit all risk dismissal and confirmation actions
  • Monitor for bulk risk dismissals
  • Coordinate dismissals with incident response
  • Consider PIM for just-in-time access
  • Alert on risk policy changes

Common questions

When should I assign the Identity Protection Administration role?

Assign Identity Protection Administration when you need to: Configuring user and sign-in risk policies; Investigating potentially compromised accounts; Managing risky user remediation workflows; Risk detection analysis and triage; and Automated risk response configuration. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Identity Protection Administration role do?

The Identity Protection Administration role grants permissions including: IDP Data - Read all Identity Protection data; IDP Settings - Update Identity Protection settings; Risk Policies - Configure user risk and sign-in risk policies; Risky Users - Review and remediate risky users; User Compromise - Confirm user compromise; and Risk Dismissal - Dismiss user risk. See the Permissions section above for the full list.

What are the security risks of the Identity Protection Administration role?

Key considerations when assigning Identity Protection Administration: Can dismiss risks potentially hiding actual compromises; Risk policy changes affect all users immediately; Misconfigured policies can cause lockouts or over-permissive access; and Audit all risk dismissal and confirmation actions. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →