An Additional Cyber Security Protection Worth Mention
A few months back I wrote on the top 10 Cyber Security protections you need (see https://www.spotlink.com/blog/top-10-cyber-security-protections/). But one that didn’t make the list has come up as important recently, so I wanted to give you a quick look at this protection, what it does, and how it can save you from some real pain.
Risky User/Risky Behavior detection is one feature of the Microsoft 365 Entra ID Plan 2 subscription. This capability will not only warn you when unusual actions are detected, but will also act on them, allowing you to increase your security protections.
Type of Detections
This Microsoft 365 feature has several different Risky User/Behavior detections. Probably the most obvious one is called “impossible travel”. This is when a user logs into their systems from 2 different locations that are impossible to travel to in the time between logins. For example, if someone logs onto a computer in LA, and then an hour later logs onto a computer in London, that’s impossible travel. This will flag this event and notify the site administrator.
Another important one is if there is an anomaly with the security token. A security token is a data object passed between the computer and Microsoft indicating a valid user. But in some situations, this token can be intercepted (this is how cyber criminals get around Multifactor Authentication, aka MFA). Microsoft can detect this and alert the administrator when it happens.
These are only 2 of several risk detections. There are more than a dozen others, such as access from an anonymous or malicious IP address, logging in from a new country, suspicious browser, unfamiliar sign-in properties, etc.
Active Response
One of the most important capabilities of the Risky User/Risky Behavior feature beyond detecting and alerting is to take immediate action on what it observes. While the default setting is to take no action, you can configure what happens when the various risks are detected. These actions can increase the frequency of MFA authentication (resetting the security token), immediately request MFA authentication, or even lock the user out until the 365 administrators investigate the situation and implement any needed remediations.
How This Can Help You Sleep Better
Cyber criminals are often very stealthy. If they compromise an account, they often lay in wait, looking at email correspondence, gathering intel, until they can strike for the big payout, often downloading internal documentation and data as they stalk their victim. Data shows that, on average, they are in a system for over 200 days before they are detected or take action. In many cases, Risky User/Risky Behavior detection can detect an anomaly at the very beginning, allowing your cybersecurity administrators to take immediate action to purge them from the system before they do damage, or even prevent them from being able to access your systems in the first place.
The Price of Comfort
Microsoft 365 Entra ID Plan 2, which includes Risky User/Risky Behavior as one of its many features, runs $9 per user per month if you purchase it on an annual plan, $10.80 per month on a month-to-month basis, putting it at the higher end of the Entra ID add-ons. Unfortunately, while it is a superset of the Microsoft 365 Entra ID Plan 1, there is no upgrade path. So, if you have Microsoft 365 Entra ID Plan 1, as many businesses do, you either have to wait for your Microsoft 365 Entra ID Plan 1 to term out, or double pay while they overlap.
Need Help Implementing this?
As a Managed Security Services Provider (MSSP), SpotLink has extensive experience in implementing, managing, monitoring and maintaining cyber security for businesses, and we can implement this protection for your business. To learn more or get help, contact us at:
📧 [email protected]
📞 +1-855-SPOTLINk (855-776-8546)
Robert Hood
CEO & Founder
SpotLink®
Author’s Note: I write my own blogs. That’s unusual. Blogs are often authored by a service and then reposted, especially in IT, or written by AI from a few key words. Instead, I choose the topics that might be of most interest to our clients and write to them – to you – directly. While it does take a little more time to write my own content, it does mean that we are well versed in the subjects I send to you. So, please always feel free to reach out to me if you have any questions or comments about anything I write, including any topics you’d like to learn more about. Thank you. – Robert Hood.
Copyright 2026 SpotLink®