Aether365

English

Deutsch
Français
Español
Nederlands
Türkçe
Italiano
Ελληνικά
Polski
Български
Čeština
Dansk
Eesti
Suomi
Magyar
Lietuvių
Latviešu
Norsk bokmål
Português
Română
Slovenčina
Slovenščina
Svenska
Українська

English

Deutsch
Français
Español
Nederlands
Türkçe
Italiano
Ελληνικά
Polski
Български
Čeština
Dansk
Eesti
Suomi
Magyar
Lietuvių
Latviešu
Norsk bokmål
Português
Română
Slovenčina
Slovenščina
Svenska
Українська

Appearance

Threat Alerts

Your regular scans give you a point-in-time picture of how your tenant is configured. Threat Alerts is different: it shows you what is happening right now. It pulls the current identity risk signals from your Microsoft 365 tenant and presents them in one place, so you can spot a compromised account and act on it without leaving Aether365.

Threat Alerts uses your AI Pilot connection. It is read-only for viewing, and it adds a one-click way to contain a risky user when you need to respond fast.

Requires an AI Pilot connection

Threat Alerts reads live risk signals through the AI Pilot connection. If you have not set one up yet, see AI Pilot for how to connect it. Your read-only scanning connection on its own does not power Threat Alerts.

What Threat Alerts shows

The Threat Alerts page is organized into three sources. Each one answers a different question about identity risk in your tenant.

Risky users

The people in your tenant whose accounts Microsoft currently considers at risk. For each user you see who they are, their current risk level, and why they are flagged. This is the fastest way to find an account that may be compromised and decide whether to contain it.

Risk detections

The individual risk signals behind those users: things like sign-ins from unfamiliar locations, anonymous IP addresses, leaked credentials, or impossible-travel patterns. Where a user-level view tells you "this account looks risky," risk detections tell you what specifically triggered that conclusion.

Needs Microsoft Entra ID P2

Risk detections come from Microsoft Entra ID Protection, which requires a Microsoft Entra ID P2 license. If your tenant is not licensed for it, this source shows a "Not available yet" note instead of data. See Licensing and the "Not available yet" note below.

Security alerts

Higher-level security alerts raised for your tenant: suspicious activity that has been correlated into an alert worth a closer look. These give you the broader security picture alongside the identity-specific signals.

Needs Microsoft Defender

Security alerts come from Microsoft Defender. If your tenant does not have a Microsoft Defender plan that produces these alerts, this source shows a "Not available yet" note instead of data.

Threat Alerts is read-only for viewing

Viewing Threat Alerts never changes anything in your tenant. It reads the current risk state and displays it. The one action that does make a change is the breach response described below, and it only runs when you explicitly trigger it on a specific user.

Breach response: contain a risky user in one click

When you find an account that is compromised or behaving suspiciously, you can contain it directly from the Risky users list. Containing a user does two things at once:

  • Revokes the user's active sessions, so any signed-in attacker is forced back to a fresh sign-in.
  • Disables the account, so no new sign-in can succeed until you re-enable it.

Together this cuts off an attacker's access quickly while you investigate.

To contain a user:

  1. Open Threat Alerts from the sidebar.
  2. In the Risky users list, find the account you want to contain.
  3. Click Contain on that user and confirm.
  4. Aether365 revokes the user's sessions and disables the account through your AI Pilot connection.

Containing is reversible

Disabling an account does not delete it. Once you have investigated and the account is safe, you can re-enable it from the Microsoft Entra admin center. Contain first, investigate second: it is far easier to re-enable a clean account than to recover from an active intrusion.

Because breach response writes to your tenant, it relies on the AI Pilot write connection. If a tenant only has a read-only scanning connection, the source data may still appear, but containing a user is not available until AI Pilot is connected.

Licensing and the "Not available yet" note

Threat Alerts surfaces whatever Microsoft signals your tenant is licensed to produce. Sources that depend on a license you do not have show a clear "Not available yet" note instead of empty or misleading data:

SourceNeedsIf not licensed
Risky usersIdentity risk signalsShown when available
Risk detectionsMicrosoft Entra ID P2"Not available yet" note
Security alertsMicrosoft Defender"Not available yet" note

The note is informational, not an error. It means the source is ready to light up the moment the tenant gains the right license, with no extra setup on your side. The sources you are licensed for keep working as normal regardless.

Was this page helpful?

© 2026 Aether365. All rights reserved.