Automatic user detection
During early access, users are added automatically when RAIDEN identifies them during detection polling. As soon as your M365 tenant is connected and RAIDEN begins processing audit log events, any user whose activity appears in the logs is added to your monitored users list with default settings. This means:- No manual setup required — connect M365 and users appear automatically
- New users are picked up on the next poll cycle — typically within 5 minutes
- Default risk level is Medium — you can adjust this per user at any time
- Only active users are added — dormant accounts that generate no audit log activity will not appear until they become active
Coming soon — Bulk import of users and groups from your M365 directory, so you can pre-populate your user list before the first detection cycle.
Manually adding a user
You can also add users manually before they generate any activity. This is useful for pre-populating high-priority users (e.g. executives, Global Admins) so their profiles are ready when detections begin.- Navigate to Users in the sidebar
- Click Add User in the top right
- Search for the user by name or email in the Search M365 Users field — this pulls directly from your connected M365 directory
- Select the user from the dropdown, or type their email manually
- Set the Risk Level — Low, Medium, High, or Critical
- Click Add User
User profile
Each monitored user has a profile showing:| Section | What it shows |
|---|---|
| Profile | Email, display name, risk level, monitoring status, last activity |
| Findings snapshot | Total findings, high+ severity count, new findings in the last 24 hours |
| Current location | Last known IP address, city, country, ASN |
| MFA devices | Number of registered MFA devices |
| Activity (7 days) | Total events, unique IPs, unique sessions, and top operations |
Removing a user
To stop monitoring a user:- Go to Users
- Find the user in the list
- Click the trash icon on their row
- Confirm the removal
If a removed user generates new M365 activity, they will be automatically re-added on the next poll cycle. To permanently exclude a user, use suppression rules on the relevant detections instead.
Risk levels
You can assign a risk level to each user to help prioritise your monitoring. Risk levels are informational and do not affect detection sensitivity.| Level | Suggested use |
|---|---|
| Critical | C-suite, Global Admins, privileged service accounts |
| High | IT admins, users with elevated permissions |
| Medium | Standard users (default) |
| Low | Shared mailboxes, service accounts with limited access |