Entra ID Protection – Free Leaked Credential Detections

Reading Time: 3 minutes

Microsoft are offering Free Leaked Credential Detection reports for all licenses including the free version of Entra ID. In this post, I’ll take you through how to access the leaked credential detection logs from the Entra ID portal.

What are Leaked Credentials in Azure?
When cybercriminals compromise valid passwords of legitimate users, they often share or sell the credentials by posting publicly on the dark web or paste sites. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they’re checked against Microsoft Entra users’ current valid credentials to find valid matches. If a match is found, a service called Entra ID Identity Protection can be configured to allow users to self remediate the security risk by forcing them to go through a password reset or you could block access. I don’t intend to go into what Identity Protection has to offer, but you can find out more at the following link, What is Identity Protection

What license is required to use Identity Protection?
To make use of all capabilities of Identity Protection including allowing the user to self remediate, Entra ID P2 or Microsoft 365 E5 licenses are required. However, Microsoft are now providing leaked credential detection reports for free and the purpose of this post is to show you where these logs can be accessed.

Password Hash Synchronisation
To benefit from leak credential detections, a requirement is to enable Password Hash Synchronisation. For more information on the different authentication methods including Password Hash Synchronisation, click the following link Authentication for Microsoft Entra hybrid identity solutions

Entra ID Protection Free Leaked Credential Detections

Back to the purpose of this post, Microsoft are allowing the capability to check if any leaked credentials were detected without any license requirements. Yes, leaked credential detection reports are free to access. If leaked credentials are detected, the compromised user accounts will be written to Azure logs allowing your administrators to take action.

To access these logs,

  1. Login to Entra ID via entra.microsoft.com
  2. Expand Protection from the left pane and click Identity Protection

3. Click risk detections

4. Click detection type, select Leaked credentials and click apply.

If any leaked credentials have been detected, they would be logged here.

As per the below table from Microsoft, Leaked credential detections are accessible for free and no longer a premium license feature.

Source: What are risks in Microsoft Entra ID Protection

That’s it. See you at the next post.