---
title: Azure AD Identity Protection risky user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Azure AD Identity Protection risky user
---

# Azure AD Identity Protection risky user
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detect when Azure Identity Protection categorizes an Azure Active Directory user as risky.

## Strategy{% #strategy %}

Monitor Azure Active Directory Identity Protection and generate a signal when Azure identifies the user as risky.

## Triage and response{% #triage-and-response %}

1. Check for other signals and logs generated by the impacted user `{{@usr.id}}`, and look for deviations in the following properties:
   - Application
   - Device
   - Geolocation
   - IP address
   - User agent
1. Reach out to the user `{{@usr.id}}` to confirm if they recognize the activity.
1. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.
1. If the activity is legitimate, dismiss the user risk in the Azure portal.