Based on Microsoft's documentation for **Microsoft Entra ID Protection**, the roles that receive **"Users at risk detected" alerts** by default are:
**Global Administrator** and **Security Administrator**.
### Alert Recipients Breakdown:
| Administrator | Role | Receives "Users at risk detected" alerts? |
|---------------|------|-------------------------------------------|
| **Admin1** | Global Administrator | ✅ **Yes** (default recipient) |
| **Admin2** | Security Administrator | ✅ **Yes** (default recipient) |
| **Admin3** | Security Reader | ❌ No (read-only access, no alerts) |
| **Admin4** | User Administrator | ❌ No (not a default recipient) |
### Key Details:
1. **Default Alert Configuration**:
- Alerts are automatically sent to **Global Administrators** and **Security Administrators**.
- This is not configurable at the role level; it’s enforced by the service.
- [Official Reference](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications#configure-notifications).
2. **Customization Options**:
- You can **add additional email addresses** (e.g., a SOC team inbox) to receive alerts, but role assignments alone won’t trigger alerts for:
- Security Readers
- User Administrators
- Conditional Access Administrators (not listed here).
3. **Security Reader & User Administrator Roles**:
- **Security Reader**: Can *view* risk reports but won’t receive proactive alerts.
- **User Administrator**: Manages users/groups but isn’t included in risk alerting by design.
### Summary:
Only **Admin1 (Global Administrator)** and **Admin2 (Security Administrator)** will receive "Users at risk detected" alerts.
> ⚠️ **Note**: To extend alerts to Admin3 or Admin4, manually add their email addresses in:
> **Entra ID Protection → Notifications → Users at risk detected alerts → Additional email recipients**.
No comments:
Post a Comment