title: Risk Scoring category: Intelligence tags: risk, scoring, analytics, security, anomaly priority: Normal
Risk Scoring
IdentityCenter assigns a risk score to every identity in your environment. Risk scores quantify the security exposure associated with each account, enabling you to prioritize remediation, target access reviews, and automate policy enforcement based on data-driven risk assessment.
Risk Score Range
Risk scores are calculated on a 0 to 100 scale:
| Score Range | Risk Level | Description | Recommended Action |
|---|---|---|---|
| 0 - 25 | Low | Normal access patterns, no significant risk indicators | Standard monitoring |
| 26 - 50 | Medium | Some elevated risk factors present | Include in periodic reviews |
| 51 - 75 | High | Significant risk indicators detected | Prioritize for immediate review |
| 76 - 100 | Critical | Severe risk exposure requiring urgent attention | Investigate and remediate immediately |
The Four Risk Dimensions
The RiskScoringEngine (in the RiskEngine project) computes a composite score from four independent risk dimensions. Each dimension evaluates a different aspect of an identity's security posture.
1. Access Risk
Access Risk measures the level of privilege and breadth of permissions an identity holds.
| Factor | Weight | Description |
|---|---|---|
| Privileged Group Membership | High | Membership in Domain Admins, Enterprise Admins, Schema Admins, and other administrative groups |
| Total Group Count | Medium | The raw number of group memberships -- more groups means broader access |
| Admin Account Status | High | Whether the account has any administrative role or flag |
| Sensitive Permission Levels | Medium | Access to high-value resources (e.g., file shares, databases, applications) |
| Service Account Privileges | Medium | Elevated privileges on service accounts (SPNs, delegation) |
Example: A user who is a member of Domain Admins with 142 group memberships scores significantly higher than a standard user with 8 group memberships.
2. Behavior Risk
Behavior Risk assesses how an identity's activity patterns compare to expected baselines.
| Factor | Weight | Description |
|---|---|---|
| Login Patterns | High | Unusual login times, frequency, or locations |
| Anomalous Activity | High | Activity that deviates significantly from the user's historical baseline |
| Unusual Access Times | Medium | Authentication events outside the user's normal working hours |
| Login Frequency Changes | Medium | Sudden increase or decrease in login activity |
| Authentication Failures | Low | Repeated failed authentication attempts |
Example: A user who typically logs in Monday-Friday 8AM-6PM but suddenly shows authentication at 3AM on a Saturday receives an elevated behavior risk score.
3. Compliance Risk
Compliance Risk evaluates an identity's standing against your organization's policies and audit requirements.
| Factor | Weight | Description |
|---|---|---|
| Active Policy Violations | High | Current unresolved violations across all policies |
| Violation Severity | High | The severity level of open violations (Critical > High > Medium > Low) |
| Audit Findings | Medium | Unresolved findings from access reviews or compliance audits |
| Overdue Reviews | Medium | Access reviews that are past their SLA deadline |
| Violation History | Low | Historical pattern of past violations (recurrence) |
Example: An account with 3 open Critical violations and 2 overdue access reviews scores higher than one with a single Medium violation that was resolved promptly.
4. Anomaly Risk
Anomaly Risk uses statistical analysis and peer group comparison to identify outliers.
| Factor | Weight | Description |
|---|---|---|
| Peer Group Deviation | High | Access levels significantly different from peers in the same role/department |
| Behavioral Anomalies | High | Actions that deviate from the user's established behavioral patterns |
| Statistical Outliers | Medium | Metrics (group count, login frequency) that fall outside normal distribution |
| Access Accumulation | Medium | Gradual privilege creep over time without corresponding role changes |
Example: A Marketing Manager with 45 group memberships when the average for Marketing Managers is 8 flags a high anomaly risk due to peer group deviation.
Composite Score Calculation
The RiskScoringEngine combines the four dimensions using a weighted formula:
| Dimension | Default Weight |
|---|---|
| Access Risk | 30% |
| Behavior Risk | 25% |
| Compliance Risk | 25% |
| Anomaly Risk | 20% |
The composite score is calculated as:
Composite Score = (Access Risk x 0.30) + (Behavior Risk x 0.25)
+ (Compliance Risk x 0.25) + (Anomaly Risk x 0.20)
Administrators can adjust these weights in the Intelligence settings to reflect organizational priorities. For example, a heavily regulated environment might increase Compliance Risk weight to 35%.
The UserRiskScore Model
Risk scores are persisted in the UserRiskScore model, which tracks scores over time:
| Field | Description |
|---|---|
| IdentityId | The identity this score belongs to |
| CompositeScore | The overall 0-100 risk score |
| AccessRiskScore | Access dimension sub-score |
| BehaviorRiskScore | Behavior dimension sub-score |
| ComplianceRiskScore | Compliance dimension sub-score |
| AnomalyRiskScore | Anomaly dimension sub-score |
| CalculatedAt | Timestamp of the most recent calculation |
| PreviousScore | The prior composite score (for trend analysis) |
Score history is retained, allowing you to visualize risk trends over time and identify whether an identity's risk is increasing, decreasing, or stable.
PeerGroupAnalyzer
The PeerGroupAnalyzer compares each identity's access patterns to their peers. Peers are determined by:
- Department -- Users in the same department
- Job Title -- Users with the same or similar job title
- Manager -- Users reporting to the same manager
- Location -- Users in the same office or site
The analyzer calculates a deviation score for each identity based on how much their access differs from the peer group median. Significant deviations (more than 1.5 standard deviations) are flagged as anomalies.
Peer Comparison Example
Identity: Jane Doe (Marketing Manager)
Peer Group: Marketing Managers (15 members)
Jane Doe Peer Median Deviation
Group Memberships: 45 8 +462% [ANOMALY]
Application Access: 5 5 0%
Shared Drive Access: 12 6 +100% [REVIEW]
Admin Rights: 0 0 0%
Recommendation: Review 37 excess group memberships
Using Risk Scores
In Access Reviews
Risk scores are displayed alongside each identity during access review campaigns. Reviewers can:
- Sort review items by risk score (highest first)
- Filter to show only High and Critical risk identities
- Use risk context to make informed approve/revoke decisions
In Policy Enforcement
Create policies that trigger based on risk thresholds:
- Require multi-factor authentication for identities with risk score >50
- Auto-flag accounts with risk score >75 for immediate review
- Restrict self-service operations for Critical-risk accounts
In the Directory Browser
When viewing objects in the Directory Browser, risk scores are displayed as color-coded badges:
- Green (0-25): Low risk
- Yellow (26-50): Medium risk
- Orange (51-75): High risk
- Red (76-100): Critical risk
In ChatHub
Use the /insights command to view risk scores and breakdowns:
/insights john.smith
Or ask in natural language:
What is the risk score for john.smith?
Show me all high-risk users
Who are the riskiest identities in my environment?
See ChatHub Slash Commands Reference for more query options.
In Workflow Triggers
Risk scores can trigger automated workflows:
- Notify the security team when any identity crosses the Critical threshold
- Initiate an access review when an identity's risk increases by more than 20 points
- Disable accounts automatically when risk score reaches 95+ (with appropriate approval workflow)
Tuning Risk Scores
Adjusting Dimension Weights
Navigate to Intelligence Settings to modify the default weights for each risk dimension. Consider your organization's priorities:
| Scenario | Recommended Adjustment |
|---|---|
| Heavily regulated industry | Increase Compliance Risk to 35%, reduce Behavior Risk to 20% |
| High-security environment | Increase Access Risk to 35%, increase Anomaly Risk to 25% |
| Post-breach investigation | Increase Behavior Risk to 35% |
Reducing False Positives
If too many identities are flagged as High or Critical risk:
- Review the peer group definitions -- ensure departments and titles are accurate in your directory
- Adjust inactivity thresholds -- if your environment has seasonal users, extend the inactive period
- Exclude known service accounts from behavioral analysis
- Refine the anomaly detection sensitivity in Intelligence settings
Next Steps
- Contextual Insights -- AI-powered analysis of individual objects
- AI Intelligence Training -- Train the AI on your environment's patterns
- Intelligence Hub Overview -- Broader view of the analytics engine
- ChatHub Slash Commands Reference -- Query risk scores through chat
- Access Reviews Overview -- Use risk scores to prioritize reviews
- Security Hardening -- Protect your IdentityCenter deployment