How to Leverage Microsoft Entra Conditional Access Policies to Stop Risky User Sign-ins

One of the challenges of securing your cloud applications is to detect and prevent unauthorized or malicious sign-in attempts. These attempts may come from hackers who have obtained leaked credentials, compromised devices, or anonymized IP addresses. They may also come from legitimate users who are traveling to unusual locations or using unfamiliar devices. In either case, you want to have a way to identify these risky user sign-ins and take appropriate actions to protect your organization.

High-risk Sign-ins

Fortunately, Microsoft Entra (formerly known as Azure Active Directory) provides a feature called Identity Protection that can help you with this task. Identity Protection is a service that collects and analyzes trillions of signals from user sign-in behaviors such as:

• Sign in from an anonymous IP address
• Sign in from a malicious IP address
• Sign in from a verified threat actor IP
• Sign in from an unfamiliar location
• Sign in from a device or browser that is not typically used by the user
• Sign in with atypical travel patterns
• Sign in with a password spray attack

Sign-in risk can be low, medium, or high, depending on the level of confidence that the sign-in was legitimate.

You can use these risk levels to configure policies that automatically respond to risky sign-ins, such as blocking access, requiring multi-factor authentication (MFA), or prompting for password change.

In this blog post, I will show you how to set up a sign-in risk policy and a risky user policy in Microsoft Entra that will block access for high-risk sign-ins and high-risk users. These policies will apply to all users in your organization and will prevent them from signing in if their sign-in attempt is deemed highly risky by Identity Protection. These policies will work as an extra layer of protection on top of your existing conditional access policies.

To set up a sign-in risk or a risky user policy, at minimum you need to have a Microsoft Entra ID P2 (previously named Azure AD Premium P2) license or a trial license enabled. If you intend to leave these policies in place, then you would need a Microsoft Entra ID P2 license for every person that would benefit from the policies. This is typically all users that can sign in. You also need to have an account with Global Administrator privileges and Microsoft Entra configured for self-service password reset and MFA.

How to make a Conditional Access Policy to block high-risk sign-ins

1. Log in to the Microsoft 365 admin center as a Global Administrator.
2. Go to Admin centers and click on Identity.
3. Select Protection then Conditional Access.
4. Create a new policy by selecting Create new policy.
5. Give the policy a name, such as “Block high risk sign-ins.”
6. Under Assignments, select Users and groups.
7. Under Include, select All users.
8. Under Exclude, select any break-glass accounts that you want to exclude from the policy. These are accounts that have emergency access privileges and should not be blocked by the policy.
9. Under Target resources, include All cloud apps.
10. Under Conditions, select Sign-in risk.
    1. Note: if you do not have Microsoft Entra ID P2 licensing in your tenant, this option will not be available.
11. Under Configure, select Yes.
12. Under Select the sign-in risk level to include in this policy, select High.
13. Under Access controls, select Grant.
14. Under Grant access, select Block access.
15. Under Enable policy, select On.
16. Select Create to save the policy.

You have now created a sign-in risk policy that blocks access for high-risk sign-ins. You can test the policy by signing in with a user account that triggers a high-risk detection, such as using an anonymous IP address.

High-risk Users

High-risk users are a different metric also measured by Microsoft Entra Identity Protection. The difference between a high-risk sign-in and a high-risk user is that a high-risk sign-in is a single event that indicates a possible compromise of the user’s credentials, while a high-risk user is a state that indicates a persistent or repeated compromise of the user’s account. A high-risk sign-in can contribute to the overall user risk score, which determines the user risk level. High-risk users can have multiple high-risk sign-ins, or just one high-risk sign-in that is very severe.

A high-risk user can also be triggered by other factors, such as:

• User with leaked credentials
• User with suspicious inbox manipulation or forwarding rules
• User with possible attempt to access Primary Refresh Token (PRT)
• User with anomalous user activity
• User reported as suspicious by the administrator or themselves

Next, I will show you how to set up a sign-in risk policy in Microsoft Entra that blocks access for high-risk users.

How to make a Conditional Access policy to block high-risk users

1. Log in to the Microsoft 365 admin center as a Global Administrator.
2. Go to Admin centers and click on Identity.
3. Select Protection then Conditional Access.
4. Create a new policy by selecting Create new policy.
5. Give the policy a name, such as “Block high-risk users”.
6. Under Assignments, select Users and groups.
7. Under Include, select All users.
8. Under Exclude, select any break-glass accounts that you want to exclude from the policy. These are accounts that have emergency access privileges and should not be blocked by the policy.
9. Under Target resources, include All cloud apps.
10. Under Conditions, select User risk.
    1. Note: if you do not have Microsoft Entra ID P2 licensing in your tenant, this option will not be available.
11. Under Configure, select Yes.
12. Under Select the user risk level to include in this policy, select High.
13. Under Access controls, select Grant.
14. Under Grant access, select Block access.
15. Under Enable policy, select On.
16. Select Create to save the policy.

Monitoring These Policies

You can also monitor the policy’s impact by reviewing sign-in logs and the reports generated by Identity Protection, such as Risky users, Risky workload identities, Risky sign-ins, and Risk detections.

To find these reports:

1. Log in to the Microsoft 365 admin center as a Global Administrator.
2. Go to Admin centers and click on Identity.
3. Select Protection then Ricky activities.
4. Click on the report you want to view in the Report section (Risky users, Ricky workload identities, Ricky sign-ins, or Risk detections).

By using Microsoft Entra Conditional Access policies based on sign-in risk, you can enhance the security of your cloud applications and protect your organization from unauthorized or malicious sign-in attempts.

Have any questions about identifying and preventing risky sign-ins? Please reach out to our experts at any time!