How to Enable a Conditional Access Sign-In Risk Policy in Entra ID

Michael Abboud

Not every risky sign-in comes labeled with flashing red lights. Some look ordinary but carry telltale signs of compromise, impossible travel, unfamiliar devices, or atypical access patterns. Entra ID uses machine learning to evaluate these sessions and assign a sign-in risk level. By enforcing a conditional access policy for risky sign-ins, you turn those signals into automated protection.

Without it, suspicious logins might still waltz in unnoticed.

The Risk If Ignored

  • Suspicious logins succeed: Attackers with just a username and password may gain entry.

  • Account compromise: Stolen access can escalate quickly into lateral movement or data theft.

  • Invisible threats: Without enforcement, risky sessions are flagged but not stopped.

How to Implement

  1. Go to Entra ID Admin Center.

  2. Navigate: Security > Identity Protection.

  3. Select Sign-in risk policy.

  4. Configure the policy:

    • Users: Apply to all users (exclude only break-glass accounts).

    • Sign-in risk level: Select High (or Medium and above depending on tolerance).

    • Access controls: Block access.

  5. Save and enable the policy.

Commonly Overlooked Pitfalls

  • Licensing blind spot: Identity Protection requires the right licensing tier—no license, no risk-based signals.

  • Policy overlap: Running both user risk and sign-in risk policies without coordination can cause unexpected lockouts.

  • User lockout risk: Blocking without remediation paths (like password reset or MFA challenge) can lock legitimate users.

Steps to Strengthen Protection

  1. Use graduated responses

    • Instead of always blocking, consider policies that require a password reset or MFA re-prompt for medium risk sign-ins.

  2. Monitor risky sign-ins regularly

    • Review Security > Identity Protection > Risky sign-ins.

    • Track patterns eg: repeated risks from specific regions, apps, or accounts.

  3. Pair with user risk policies

    • Combine both user risk and sign-in risk conditional access for layered protection.

  4. Phase out exclusions

    • If certain accounts can’t be included immediately, set a plan to migrate them into scope.

Enabling a sign-in risk policy takes identity protection from passive to proactive. By automatically blocking or challenging suspicious sessions, you dramatically reduce the odds of attackers slipping through. Audit regularly, tune for usability, and remember: risk-based conditional access is only as strong as its coverage.

Related posts