Merge pull request #12264 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-26 05:00 UTC

Author: learn-build-service-prod[bot]

docs/fundamentals/configure-security.md

@@ -61,7 +61,9 @@ Reduce credential-related risk by implementing modern identity standards.
 | [Use cloud authentication](zero-trust-protect-identities.md#use-cloud-authentication) | Microsoft Entra ID P1 |
 | [All users are required to register for MFA](zero-trust-protect-identities.md#all-users-are-required-to-register-for-mfa) | Microsoft Entra ID P2 |
 | [Users have strong authentication methods configured](zero-trust-protect-identities.md#users-have-strong-authentication-methods-configured) | Microsoft Entra ID P1 |
+| [Reduce the user-visible password surface area](zero-trust-protect-identities.md#reduce-the-user-visible-password-surface-area) | Microsoft Entra ID P1 |
 | [User sign-in activity uses token protection](zero-trust-protect-identities.md#user-sign-in-activity-uses-token-protection) | Microsoft Entra ID P1 |
+| [Token protection policies are configured](zero-trust-protect-identities.md#token-protection-policies-are-configured) | Microsoft Entra ID P1 |
 | [All user sign-in activity uses phishing-resistant authentication methods](zero-trust-protect-identities.md#all-user-sign-in-activity-uses-phishing-resistant-authentication-methods) | Microsoft Entra ID P1 |
 | [All sign-in activity comes from managed devices](zero-trust-protect-identities.md#all-sign-in-activity-comes-from-managed-devices) | Microsoft Entra ID P1 |
 | [Security key authentication method enabled](zero-trust-protect-identities.md#security-key-authentication-method-enabled) | None (included with Microsoft Entra ID) |
@@ -75,6 +77,7 @@ Reduce credential-related risk by implementing modern identity standards.
 | [Require multifactor authentication for device join and device registration using user action](zero-trust-protect-identities.md#require-multifactor-authentication-for-device-join-and-device-registration-using-user-action) | Microsoft Entra ID P1 |
 | [Local Admin Password Solution is deployed](zero-trust-protect-identities.md#local-admin-password-solution-is-deployed) | Microsoft Entra ID P1 |
 | [Entra Connect Sync is configured with Service Principal Credentials](zero-trust-protect-identities.md#entra-connect-sync-is-configured-with-service-principal-credentials) | None (included with Microsoft Entra ID) |
+| [Directory sync account is locked down to specific named location](zero-trust-protect-identities.md#directory-sync-account-is-locked-down-to-specific-named-location) | Microsoft Entra ID P1 |
 | [No usage of ADAL in the tenant](zero-trust-protect-identities.md#no-usage-of-adal-in-the-tenant) | None (included with Microsoft Entra ID) |
 | [Block legacy Azure AD PowerShell module](zero-trust-protect-identities.md#block-legacy-azure-ad-powershell-module) | None (included with Microsoft Entra ID) |
 | [Enable Microsoft Entra ID security defaults for free tenants](zero-trust-protect-identities.md#enable-microsoft-entra-id-security-defaults-for-free-tenants) | None (included with Microsoft Entra ID) |

docs/fundamentals/zero-trust-protect-identities.md

@@ -119,9 +119,15 @@ The recommendations and Zero Trust checks that are part of this pillar help redu
 ### Users have strong authentication methods configured
 [!INCLUDE [21801](../includes/secure-recommendations/21801.md)]
 
+### Reduce the user-visible password surface area
+[!INCLUDE [21889](../includes/secure-recommendations/21889.md)]
+
 ### User sign-in activity uses token protection
 [!INCLUDE [21786](../includes/secure-recommendations/21786.md)]
 
+### Token protection policies are configured
+[!INCLUDE [21941](../includes/secure-recommendations/21941.md)]
+
 ### All user sign-in activity uses phishing-resistant authentication methods
 [!INCLUDE [21784](../includes/secure-recommendations/21784.md)]
 
@@ -167,6 +173,9 @@ The recommendations and Zero Trust checks that are part of this pillar help redu
 ### Entra Connect Sync is configured with Service Principal Credentials
 [!INCLUDE [24570](../includes/secure-recommendations/24570.md)]
 
+### Directory sync account is locked down to specific named location
+[!INCLUDE [21834](../includes/secure-recommendations/21834.md)]
+
 ### No usage of ADAL in the tenant
 [!INCLUDE [21780](../includes/secure-recommendations/21780.md)]
 

docs/id-protection/concept-identity-protection-risks.md

@@ -3,8 +3,8 @@ title: What are risk detections?
 description: Explore the full list of risk detections and their corresponding risk event types, along with a description of each risk event type.
 ms.service: entra-id-protection
 ms.topic: reference
-ms.date: 01/07/2026
-ms.reviewer: cokoopma
+ms.date: 03/17/2026
+ms.reviewer: lvandenende
 ---
 
 # What are risk detections?
@@ -146,7 +146,7 @@ This detection is discovered using information provided by [Microsoft Defender
 
 ### Microsoft Entra threat intelligence (sign-in) 
 
-Microsoft Entra threat intelligence indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources. These detections show up as "Microsoft Entra threat intelligence" in logs and ID Protection reports.
+Microsoft Entra threat intelligence indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence research, including data from the Microsoft Threat Intelligence Center (MSTIC) and other Microsoft security teams. These detections show up as "Microsoft Entra threat intelligence" in logs and ID Protection reports.
 
 - Calculated in real-time or offline
 - License requirement: Microsoft Entra ID Free or Microsoft Entra ID P1
@@ -163,7 +163,7 @@ This detection is discovered using information provided by [Microsoft Defender
 
 ### Password spray 
 
-A password spray attack is where multiple identities are attacked using common passwords in a unified brute force manner. The risk detection is triggered when an account's password is valid and has an attempted sign in. This detection signals that the user's password was correctly identified through a password spray attack, not that the attacker was able to access any resources.
+A password spray attack is where multiple identities are attacked using common passwords in a unified brute force manner. Microsoft monitors password spray patterns across IP addresses and other identifiers to detect these attacks across all Microsoft Entra tenants. The risk detection is only triggered when an attacker successfully validates a user's password. Unsuccessful spray attempts against your users don't generate a detection. When the detection fires in your tenant, it means Microsoft observed a spray attack and confirmed that the attacker achieved a successful credential validation against a user in your tenant. This detection signals that the user's password was correctly identified, not that the attacker was able to access any resources.
 
 - Calculated in real-time or offline
 - License requirement: Microsoft Entra ID P2
@@ -259,15 +259,16 @@ Also referred to as Adversary in the Middle, this high precision detection is tr
 
 ### Leaked credentials 
 
-This risk detection type indicates that the user's valid credentials leaked. When cybercriminals compromise valid passwords of legitimate users, they often share these gathered credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they're checked against Microsoft Entra users' current valid credentials to find valid matches. For more information about leaked credentials, see [FAQs](id-protection-faq.yml). 
+This risk detection indicates that a user's valid credentials appeared in a known credential breach. Microsoft operates a large-scale credential scanning pipeline that continuously monitors dark web forums, breach dump repositories, paste sites, law enforcement seizure data, and other sources through partnerships with the Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Crimes Unit (DCU), and industry partners. When discovered credentials are found, the service validates the actual credential material against your tenant's current valid password hashes. A detection is only emitted when a confirmed match is found. This detection is always as **high** risk because it represents verified credential exposure, not a heuristic signal. A cloud-based password reset through Microsoft Entra remediates the user risk for this detection for cloud and on-premises passwords, as long as password hash synchronization (PHS) is enabled for on-premises passwords. For more information about on-premises password protection, see [Microsoft Defender for Identity accounts security posture assessments](/defender-for-identity/security-posture-assessments/accounts#change-password-for-on-premises-account-with-potentially-leaked-credentials-preview).
 
 - Calculated offline
 - License requirement: Microsoft Entra ID Free or Microsoft Entra ID P1
+- Requires [password hash synchronization (PHS)](../identity/hybrid/connect/how-to-connect-password-hash-synchronization.md) for on-premises passwords
 - [Tips for investigating leaked credentials detections.](howto-identity-protection-investigate-risk.md#leaked-credentials-detections)
 
 ### Microsoft Entra threat intelligence (user) 
 
-This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources. 
+This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence research, including data from the Microsoft Threat Intelligence Center (MSTIC) and other Microsoft security teams. 
 
 - Calculated offline
 - License requirement: Microsoft Entra ID Free or Microsoft Entra ID P1

docs/id-protection/concept-workload-identity-risk.md

@@ -47,7 +47,7 @@ We detect risk on workload identities across sign-in behavior and offline indica
 
 | Detection name | Detection type | Description | riskEventType |
 | --- | --- | --- | --- |
-| Microsoft Entra threat intelligence | Offline | This risk detection indicates some activity that is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. | investigationsThreatIntelligence |
+| Microsoft Entra threat intelligence | Offline | This risk detection indicates some activity that is consistent with known attack patterns based on Microsoft's internal and external threat intelligence research. | investigationsThreatIntelligence |
 | Suspicious Sign-ins | Offline | This risk detection indicates sign-in properties or patterns that are unusual for this service principal. The detection learns the baselines sign-in behavior for workload identities in your tenant. This detection takes between 2 and 60 days, and fires if one or more of the following unfamiliar properties appear during a later sign-in: IP address / ASN, target resource, user agent, hosting/non-hosting IP change, IP country, credential type. Because of the programmatic nature of workload identity sign-ins, we provide a timestamp for the suspicious activity instead of flagging a specific sign-in event. Sign-ins that are initiated after an authorized configuration change might trigger this detection. | suspiciousSignins |
 | Admin confirmed service principal compromised | Offline | This detection indicates an admin selected 'Confirm compromised' in the Risky Workload Identities UI or using riskyServicePrincipals API. To see which admin confirmed this account compromised, check the account’s risk history (via UI or API). | adminConfirmedServicePrincipalCompromised |
 | Leaked Credentials | Offline | This risk detection indicates that the account's valid credentials leaked. This leak can occur when someone checks in the credentials in public code artifact on GitHub, or when the credentials are leaked through a data breach. When the Microsoft leaked credentials service acquires credentials from GitHub, the dark web, paste sites, or other sources, they're checked against current valid credentials in Microsoft Entra ID to find valid matches. | leakedCredentials |

docs/id-protection/howto-identity-protection-investigate-risk.md

@@ -2,8 +2,8 @@
 title: Investigate risk with Microsoft Entra ID Protection
 description: Learn how to investigate risky users, detections, and sign-ins in Microsoft Entra ID Protection.
 ms.topic: how-to
-ms.date: 01/07/2026
-ms.reviewer: cokoopma
+ms.date: 03/17/2026
+ms.reviewer: lvandenende
 ms.custom: sfi-image-nochange
 ---
 # How to investigate risk
@@ -95,7 +95,7 @@ To investigate a Microsoft Entra threat intelligence risk detection, follow thes
 
 - Detection was triggered by a real-time rule
    1. Validate that no other users in your directory are targets of the same attack. This information can be found using the TI_RI_#### number assigned to the rule.
-   1. Real-time rules protect against novel attacks identified by Microsoft's threat intelligence. If multiple users in your directory were targets of the same attack, investigate unusual patterns in other attributes of the sign in.
+   1. Real-time rules protect against novel attacks identified by Microsoft's threat intelligence research. If multiple users in your directory were targets of the same attack, investigate unusual patterns in other attributes of the sign in.
 
 ### Atypical travel detections
 
@@ -135,6 +135,8 @@ This detection indicates the user doesn't commonly use the browser or activity w
 
 ### Password spray detections
 
+A password spray detection means Microsoft observed an attacker conducting a spray attack and achieving a successful credential validation against a user in your tenant. The spray attack might have targeted users across many tenants — the detection fires only in tenants where a successful password match was confirmed. Unsuccessful spray attempts don't generate a detection.
+
 - If you confirm that the activity was *not* performed by a legitimate user:
    1. Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation.
    1. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.
@@ -149,9 +151,15 @@ For further investigation of password spray risk detections, see the article [Pa
 
 ### Leaked credentials detections
 
+Leaked credentials detections are always high risk because they represent confirmed credential exposure. When this detection fires, investigate right away.
+
 If this detection identified a leaked credential for a user:
-1. Confirm the user as compromised, and invoke a password reset if not already performed by self-remediation.
-1. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.
+
+1. **Assess the scope of exposure.** Review the user's risk history and sign-in logs to determine if the leaked credential was used for unauthorized access. Look for correlated sign-in risk events such as sign-ins from unfamiliar locations, anonymous IP addresses, or atypical travel.
+1. **Check if the password was already changed.** Verify whether the user changed their password after the date the leak was detected. A cloud-based password reset triggered by a [Microsoft Entra Conditional Access policy](howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access) fully remediates the user risk for this detection. If the password was changed, the risk might already be self-remediated. If not, confirm the user as compromised and initiate a password reset.
+1. **Block access if an attacker is active.** If sign-in logs show unauthorized access, or if an attacker has the ability to reset the password or perform MFA, block the user, reset the password, and revoke all refresh tokens. Revoking sessions is critical when there's evidence of active compromise.
+1. **Review for lateral movement.** Check the user's recent activity for signs of privilege escalation, new app registrations, mailbox rule changes, or access to sensitive resources that might indicate post-compromise activity.
+1. **Verify connected accounts.** If the user reuses passwords across services, consider the credential compromised beyond your tenant. Advise the user to change passwords on other services where they use the same credential.
 
 ## Mitigate future risks
 

docs/id-protection/howto-identity-protection-remediate-unblock.md

@@ -221,14 +221,14 @@ If a user was deleted from the directory that had a risk present, that user stil
 
 ## Token theft related detections
 
-With a recent update to our detection architecture, we no longer autoremediate sessions with MFA claims when a token theft related or the Microsoft Threat Intelligence Center (MSTIC) Nation State IP detection triggers during sign-in.
+With a recent update to our detection architecture, we no longer autoremediate sessions with MFA claims when a token theft related or the Verified threat actor IP detection triggers during sign-in.
 
-The following ID Protection detections that identify suspicious token activity or the MSTIC Nation State IP detection are no longer auto-remediated:
+The following ID Protection detections that identify suspicious token activity or the Verified threat actor IP detection are no longer auto-remediated:
 
-- Microsoft Entra threat intelligence 
+- Microsoft Entra threat intelligence 
 - Anomalous token
 - Attacker in the Middle
-- MSTIC Nation State IP
+- Verified threat actor IP
 - Token issuer anomaly 
 
 ID Protection now surfaces session details in the Risk Detection Details pane for detections that emit sign-in data. This change ensures we don't close sessions containing detections where there's MFA-related risk. Providing session details with user-level risk details provides valuable information to assist with investigation. This information includes: