NOTE: This advisory is based on our evidence from the f11.ca lab experiment (EID-EXP-006), in which we reproduced the issue.
For engineers asking how this works technically.
Most Microsoft 365 tenants today can detect risky sign-ins. (What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn, 2024)
Microsoft Entra Identity Protection is doing its job:
- detecting suspicious logins
- flagging risky users
- identifying credential abuse (Microsoft Entra ID Protection, 2024)
However, in many environments, a critical step is often missing:
There are no alerts, notifications, or responses.
What is the result?
Risk is detected, but no action is taken.
The Business Problem: “Security Signals” Don’t Reduce Risk If Nobody Sees Them
As an MSP owner, I frequently observe the following in client environments:
- Entra ID P2 is licensed.
- Identity Protection is available.
- Risky sign-ins are being detected.
- Risky users are being flagged.
However, the security process stops at detection.
There’s no workflow. No email notifications.
No ticket creation.
No SOC visibility.
As a result, the business remains exposed, despite investing in the security feature.
The Real Cost of Missing Identity Protection Alerts
When Identity Protection detects a risky sign-in, it’s often one of these:
- password spray attempts
- stolen credentials from the dark web
- impossible travel
- sign in from unfamiliar countries
- malicious automation attempts (What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn, 2024)
If the organization is not notified promptly, attackers gain valuable time.
This delay can be costly.
Here’s what that delay can cost:
- mailbox compromise
- invoice fraud
- SharePoint data exposure
- admin takeover
- ransomware entry via identity
- reputation damage
Additionally,Many clients mistakenly believe they are protected simply because they use “Microsoft security.” (Nearly 30% of MSPs Report Preventable Microsoft 365 Data Loss Due to Backup Gaps, 2025)
The Most Common Scenario MSPs Inherit
The typical pattern is as follows: Risk detected
No alert
No ticket
No response
Incident discovered later (or never)This is why I call it: Silent detection.
Silent detection is particularly dangerous because leadership assumes the issue is resolved.
Why This Happens (Even in Mature Tenants)
Identity Protection is effective, but it is not fully operational by default. (Protecting authentication methods in Microsoft Entra ID, 2023)In many tenants:
- Notifications were never configured.
- The wrong people were selected as recipients.
- alerts were set to “High only” and nothing triggered
- The email recipients were outdated.
- The organization relied on “someone checking the portal.”
In the MSP model, It is impractical to manually check more than ten tenants each day.
The Fix: Configure Alerts + Notifications for Risky Users and Risky Sign-ins
Configuring alerts and notifications is among the most valuable security improvements an MSP can implement. (Microsoft Entra ID Protection notifications, 2023)In our lab environment (f11.ca experiment):EID-EXP-006 — Configure Alerts + Notifications for:
- Risky users
- Risky sign-ins
- Weekly digest reporting (optional)
The objective is clear:
Turn Identity Protection into an operational control.
It should not remain only a dashboard.
When properly configured, clients receive alerts. If a user account is identified as risky, such as from leaked credentials, the security team receives immediate notification.
2) Risky sign-in alerts
If a risky login occurs, including from a new country, an impossible travel location, or suspicious properties, the security team is notified immediately.3) Weekly digest (optional)A weekly report enables leadership and IT to understand:
How often risk events occur.
- Which users are targeted
- whether risk is trending up or down (Microsoft Entra ID Protection notifications, 2023)
Why This Is a High-Value MSP Deliverable
This process involves more than simply enabling email notifications.
It creates tangible business outcomes:
Faster response = less damage
Faster containment = lower incident cost
Less downtime = better continuity
Better reporting = stronger client trust
This also enhances MSP operations by enabling the following:
- Route alerts to a shared mailbox
- Create tickets automatically
- integrate into SIEM (Microsoft Sentinel)
- provides security value to the client (Microsoft Entra ID Protection, 2024)
The Client Impact: What Changes After Alerts Are Enabled
Once alerts are enabled, clients no longer operate without visibility.
Instead, they get:
- real-time security awareness
- measurable signals
- faster incident detection
- a path to automation through Conditional Access
From an MSP perspective, This becomes a strong justification for:
- managed security services
- Microsoft 365 security reviews
- Entra ID P2 upgrades
- Recurring Identity Monitoring Pack:
Key Takeaway for MSP Owners
If your client is licensed for Entra ID P2 or Microsoft 365 E5 and Identity Protection is enabled……but alerts and notifications are not configured. Clients are paying for security detection that remains unseen.
That’s not a problem. This is a silent failure.
Next Step: Pair Alerts with Conditional Access Remediation
Notifications are step one.
The next step is enforcement. For example:
- medium sign-in risk → require MFA
- high user risk → require password reset
- repeated risk → block access (Zero Trust identity and device access policies, 2024)
This approach transforms detection into prevention.
Need help validating this in your tenant?
This risk exists in most Microsoft 365 tenants.
Author: Jaspreet Singh
Platform: MSPInsights.ca
Hands-on Evidence & Labs: f11.ca
References
(2024). What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
(2024). Microsoft Entra ID Protection. Microsoft Security. https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id-protection
(2024). What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
(October 15, 2025). Nearly 30% of MSPs Report Preventable Microsoft 365 Data Loss Due to Backup Gaps. Syncro Survey. https://www.businesswire.com/news/home/20251016687988/en/Syncro-Survey-Nearly-30-of-MSPs-Report-Preventable-Microsoft-365-Data-Loss-Due-to-Backup-Gaps
(2023). Protecting authentication methods in Microsoft Entra ID. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement
(2023). Microsoft Entra ID Protection notifications. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications
(2023). Microsoft Entra ID Protection notifications. Microsoft Entra ID Protection notifications. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-notifications
(2024). Microsoft Entra ID Protection. Microsoft Entra ID Protection Datasheet. https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id-protection
(2024). Zero Trust identity and device access policies. Microsoft. https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf