Not every risky sign-in comes labeled with flashing red lights. Some look ordinary but carry telltale signs of compromise, impossible travel, unfamiliar devices, or atypical access patterns. Entra ID uses machine learning to evaluate these sessions and assign a sign-in risk level. By enforcing a conditional access policy for risky sign-ins, you turn those signals into automated protection.
Without it, suspicious logins might still waltz in unnoticed.
Suspicious logins succeed: Attackers with just a username and password may gain entry.
Account compromise: Stolen access can escalate quickly into lateral movement or data theft.
Invisible threats: Without enforcement, risky sessions are flagged but not stopped.
Go to Entra ID Admin Center.
Navigate: Security > Identity Protection.
Select Sign-in risk policy.
Configure the policy:
Users: Apply to all users (exclude only break-glass accounts).
Sign-in risk level: Select High (or Medium and above depending on tolerance).
Access controls: Block access.
Save and enable the policy.
Licensing blind spot: Identity Protection requires the right licensing tier—no license, no risk-based signals.
Policy overlap: Running both user risk and sign-in risk policies without coordination can cause unexpected lockouts.
User lockout risk: Blocking without remediation paths (like password reset or MFA challenge) can lock legitimate users.
Use graduated responses
Instead of always blocking, consider policies that require a password reset or MFA re-prompt for medium risk sign-ins.
Monitor risky sign-ins regularly
Review Security > Identity Protection > Risky sign-ins.
Track patterns eg: repeated risks from specific regions, apps, or accounts.
Pair with user risk policies
Combine both user risk and sign-in risk conditional access for layered protection.
Phase out exclusions
If certain accounts can’t be included immediately, set a plan to migrate them into scope.
Enabling a sign-in risk policy takes identity protection from passive to proactive. By automatically blocking or challenging suspicious sessions, you dramatically reduce the odds of attackers slipping through. Audit regularly, tune for usability, and remember: risk-based conditional access is only as strong as its coverage.