Try this first
- 1Entra admin center > Protection > Identity Protection > Sign-in risk policy. Turn it on and decide whether to enforce on medium or high risk (MFA or block).
- 2Check live status under 'Risky users' and 'Risky sign-ins'. You see impossible travel, anonymous IP, infrequent country and other signals there.
- 3Set notification recipients: you plus one backup. Not just one person, they go on vacation sometimes.
- 4Test by signing in via a VPN to another country. Does the sign-in show up in 'Risky sign-ins' within 30 minutes? Configuration works.
- 5Build a habit: check 'Risky users' at the start of every workday. 30 seconds of work.
When to bring us in
Identity Protection requires Entra ID P2. Without it you are stuck with weaker signals. Defender for Office covers a different set (mail-flow, phishing) and is a separate topic. We can advise whether the license is worth it for your situation, often not necessary.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.