Attackers don’t always knock politely. Sometimes they come disguised as your users, armed with stolen passwords or suspicious sign-in patterns. Entra ID uses built-in risk detection to flag these events. Without conditional access tied to those signals, risky sign-ins can sneak right in. Enabling policies for high-risk sign-ins adds the missing tripwire blocking compromised sessions before they cause damage.
Unchallenged intrusions: High-risk logins may slip through undetected.
Account takeover: A stolen password can become a stolen account.
Downstream impact: Compromised accounts can be leveraged for phishing, privilege escalation, or ransomware deployment.
Go to Entra ID Admin Center.
Navigate: Security > Conditional Access.
Create a new policy:
Assignments: Target all users (keep break-glass/emergency accounts excluded).
Conditions: Under User risk, select High.
Access controls: Block access.
Enable and enforce the policy.
Risk signals only work if enabled: Ensure Identity Protection is licensed and configured; without it, the policy has nothing to trigger on.
Over-reliance on blocking: Blocking is effective, but sometimes remediation (forcing password reset, re-authentication) is a better balance between security and usability.
Excluded accounts: Every exception is a potential weak point.
Combine with sign-in risk policies
Create a separate policy for Sign-in risk = High to cover suspicious sessions, not just compromised identities.
Remediate, don’t just block
Consider policies that enforce password reset or MFA re-prompt for medium-risk users to avoid user lockouts while maintaining protection.
Audit and tune
Review Risky sign-ins under Entra ID > Security > Identity Protection.
Track trends, false positives, and recurring problem accounts.
Eliminate exclusions over time
Start with scoped pilots if needed, but expand quickly to cover all users.
Sunset exceptions with a clear timeline.
High-risk sign-ins are the blinking red light of identity security. Enabling conditional access ensures those alerts don't turn into breaches. Pair blocking policies with remediation steps, audit regularly, and keep exclusions on a short leash. When risk is high, trust is low and your policy should act accordingly.