This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 39%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
My company received an alert that a user succeeded the file download limit (total was 58/min). Upon investigating the alert in Defender, the user ID is displaying as "urn:spo:anon#46b4476bd6f17a9622678ef53b2748cccfac0a30356a4a64ef9eecf9049507dd". I checked the admin portal and could not find such a user. Also, I checked the sign in logs for the IP address that was listed for the user and no such sign-ins were recorded.
Does anyone know where that user ID could be coming from? Are there any other places I should check to investigate this alert?
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Hi @ShallowCopy
I understand that your company received an alert that a user succeeded the file download limit (total was 58/min). Upon investigating the alert in Defender, the user ID is displaying as "urn:spo:anon#46b4476bd6f17a9622678ef53b2748cccfac0a30356a4a64ef9eecf9049507dd".
You checked the admin portal and could not find such a user. Also, you checked the sign in logs for the IP address that was listed for the user and no such sign-ins were recorded.
The risk reports are found in the Microsoft Entra admin center under ID Protection. You can navigate directly to the reports or view a summary of important insights in the dashboard view and navigate to the corresponding reports from there. To view and investigate risky users, navigate to the Risky users report and use the filters to manage the results. There's an option at the top of the page to add other columns such as risk level, status, and risk detail.
With the information provided by the Risky user's report, administrators can view:
Follow the document for more information: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk#how-to-investigate-risky-users
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click `Accept Answer` and `Yes`.
Hi @ShallowCopy
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes.
Hi @ShallowCopy
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes.