Do your users perform actions that put your organization at risk? If you have an Azure Active Directory (AD) Premium 2 (P2) license, you can set up risk alert rules that tell you when their actions are putting your firm at risk. You can also instruct it to take additional actions based on the activities seen by Azure AD Identity Protection at the sign-in process.  

If you have a Premium 1 (P1) license, you will receive a “Sign-in with additional risk detected” notice. The risk level and risk detail fields are hidden, but this might be enough to alert you to actions that put your firm at risk. There are different features included in Azure AD P1 versus Azure AD P2, and how each reports on risky user activities is just one of them.

Azure monitors how a user logs in and takes action if it sees unusual activity based on policies you set up. This setting is similar to the Microsoft 365 user login monitoring but focuses on the user login for Azure AD. You can purchase a single P2 license to add this level of protection for your global administrator accounts and leave the rest of your users with a P1 license or even at the basic Azure AD level. You may find conflicting information on the web, but you can mix and match Azure licenses to put together the best protection for your accounts. This is just one of many best practices that you can do for Azure AD as noted on this best practices checklist.

The risk event types Azure AD detects include: