The purpose of this article is to outline user risk ratings, elevation and the process on how to release the risk. 

A user’s risk rating can be elevated when security systems detect behaviour or indicators that suggest the account may be compromised. Common reasons include:

  • Suspicious sign‑in activity – e.g. sign‑ins from unfamiliar locations, impossible travel, or anomalous IP addresses.
  • Credential compromise indicators – username/passwords detected in known breach data or dark‑web sources.
  • Malware or phishing interaction – the user clicked a phishing link, opened a malicious attachment, or was involved in a confirmed phishing campaign.
  • Unusual account behaviour – abnormal sign‑in patterns, excessive failed logins, or atypical access to resources.
  • Risk signals from identity protection tooling – automated detections from Microsoft Entra ID Identity Protection or integrated security platforms.

Risk ratings are automatically calculated and adjusted based on the severity, confidence, and combination of these signals, and they typically reduce once remediation actions (password reset, MFA re‑authentication, sign‑in review) are completed.

What to expect if a users risk is elevated


If a user’s risk level is elevated, they may experience temporary security controls designed to protect their account and the firm. This can include:

  • Prompted security actions – such as being required to reset their password or re‑authenticate with MFA.
  • Sign‑in interruptions – access may be temporarily blocked until required verification steps are completed.
  • Increased monitoring – the account may be more closely monitored for suspicious activity while the risk is assessed.
  • Minimal business disruption – once remediation actions are completed and the risk is reduced, access is typically restored automatically.


Process: Handling an Elevated User Risk

1. Identify the Elevated Risk

a) An elevated user risk can be identified in one of the following ways:

Freshservice alert – Review alerts received in Freshservice from [email protected]. These alerts will generally state when a user’s risk level has been elevated.


b) Manual check – If no alert is present but a user is exhibiting suspicious behaviour, navigate to:

Entra ID → Search for the user → User overview page

If the user is flagged, the status “Risky User” will be displayed on the user’s profile.

2. Escalate and Confirm

Once it has been determined that a user’s risk is elevated, do not action the risk independently.

Consult with one or more of the following before proceeding:


Andy McConnell

Red Hamel

Nirav Patel

Steve Rose


3. Releasing the User Risk (Authorised Only)

If approval is given to release the risk:


Select “View User Risk Information”.

Select the affected user.

If confirmed safe, select “Confirm User Safe”.