This guide explains the ten essential Microsoft 365 security controls we recommend for charities to reduce cyber risk, improve governance and strengthen long-term resilience.

Control 5 of 10 Next Control >

What it is

Identity Protection is a Microsoft Entra ID security feature that continuously monitors user accounts and sign-in activity for indicators of compromise.

It analyses:

  • Sign-in risk
  • User risk
  • Unfamiliar locations
  • Anonymous IP addresses
  • Leaked credentials
  • Impossible travel activity

Based on these signals, Identity Protection can automatically require Multi-Factor Authentication, block access or force a password reset.

Why it matters

Cyber criminals increasingly target user identities rather than exploiting technical vulnerabilities.

If an attacker successfully steals a password, Identity Protection can detect unusual behaviour and prevent access before significant damage occurs.

For charities handling donor information, financial records and sensitive beneficiary data, detecting compromised identities early can prevent data breaches, fraud and reputational damage.

Common mistakes

  • Assuming MFA alone is sufficient.
  • Never reviewing risky users or sign-in reports.
  • Ignoring leaked credential alerts.
  • Leaving administrator accounts without enhanced protection.
  • Not integrating Identity Protection with Conditional Access.

Bunker's Recommended Approach

Identity Protection should work alongside Multi-Factor Authentication and Conditional Access to create a layered security strategy.

We recommend automatically requiring additional verification when Microsoft identifies elevated user or sign-in risk, while regularly reviewing alerts and investigating suspicious activity.

The goal is not simply detecting attacks—but stopping compromised accounts from accessing organisational data.

One of the biggest misconceptions we encounter is that enabling MFA completely eliminates account compromise. While MFA dramatically improves security, attackers continue to develop new techniques to bypass or exploit identities. Identity Protection provides another layer of defence by continuously monitoring for suspicious activity and responding automatically when risk is detected.

How We Helped a UK Charity Strengthen Identity Security

During a Microsoft 365 Security Review for a UK charity supporting over 90 employees and volunteers, we identified that administrator accounts relied solely on passwords and Multi-Factor Authentication, with no automated monitoring for risky sign-ins.

Working with the charity, we:

  • Enabled Microsoft Entra ID Identity Protection.
  • Configured user and sign-in risk policies.
  • Required automatic password resets for high-risk accounts.
  • Integrated Identity Protection with Conditional Access.
  • Introduced regular reviews of risky users and sign-in activity.

The charity now has greater visibility of suspicious authentication activity and can respond quickly to potential account compromise before it affects operations.

Ready to review your Microsoft 365 security?

Whether you're preparing for Cyber Essentials, reviewing your current IT provider or simply want to understand your Microsoft 365 security posture, we'll help you identify practical improvements that reduce risk and support your organisation's goals.

FAQ – Identity Protection

What is Identity Protection?

Identity Protection is a Microsoft Entra ID feature that detects compromised user accounts and risky sign-ins using Microsoft’s global threat intelligence. It automatically helps protect Microsoft 365 by responding to suspicious authentication activity.

How is Identity Protection different from Multi-Factor Authentication?

Multi-Factor Authentication verifies a user’s identity during sign-in. Identity Protection continuously monitors for suspicious activity before, during and after authentication, identifying compromised accounts and risky behaviour that may require additional action.

Can Identity Protection automatically block attackers?

Yes. Identity Protection can automatically require Multi-Factor Authentication, force password resets or block access when Microsoft detects elevated user or sign-in risk, depending on how policies are configured.

Which Microsoft licence is required?

Identity Protection requires Microsoft Entra ID P2 or Microsoft 365 E5 licensing. Some charities may already have access through their existing Microsoft subscriptions.

Should charities monitor risky sign-ins regularly?

Yes. Risk detections should be reviewed frequently or even better real-time with a 24/7 service to identify unusual authentication activity, investigate potential compromises and ensure security policies continue protecting your organisation effectively.

How can Bunker help?

Bunker helps UK charities configure Microsoft Entra ID Identity Protection, integrate it with Conditional Access and Multi-Factor Authentication, and monitor identity risks as part of a wider Microsoft 365 Security Review.

You’re halfway through the Bunker Microsoft 365 Security Framework. Continue exploring the remaining controls to build a comprehensive Microsoft 365 security strategy for your charity.

Bunker Technical Solutions Cyber Security Team | Last reviewed: July 2026

Control 5 of 10 Email Security for UK Charities >
Logo
Helping you Build Secure, Future-Ready Technology

If you're reviewing your current MSP, concerned with cyber security or preparing your organisation for AI.