Entra ID (Azure AD) Risk Events

m365-azureAuthentication & AccessCloud Admin Portal

Location

Azure Portal > Entra ID > Security > Risk detections (or Microsoft Graph API /identityProtection/riskDetections)

Description

Machine-learning-generated risk detections including anonymous IP usage, impossible travel, malware-linked IPs, password spray detection, leaked credential matches, token anomalies, and suspicious inbox manipulation rules.

Forensic Value

Risk events provide Microsoft threat intelligence context that is not available in raw sign-in logs. A "leaked credentials" detection confirms the user password was found in a breach database. "Anomalous token" detections flag token theft and replay scenarios. Correlating risk event timestamps with sign-in log entries creates a high-confidence timeline of exactly when the identity was compromised and from which infrastructure.

Tools Required

Azure PortalMicrosoft Graph API (/identityProtection/riskDetections)PowerShell

Used in Procedures

Azure AD Sign-In and Audit Log Collection

collect

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical