Share via

Conditional access policy for risky sign-ins

Manuel J. Gomez 20 Reputation points
2024-08-02T15:14:20.11+00:00

I am trying to create a conditional access policy to require multifactor authentication for risky sign-in attempts.

I am following the instructions on this article but there is no section to define user or sign-in risk.

https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies#sign-in-risk-policy-in-conditional-access

How can I create a policy to assist in requiring the action be followed?

How can I get an alert of a risky sign-in attempt?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
417 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,649 questions
Accepted answer
  1. Sandeep G-MSFT 19,021 Reputation points Microsoft Employee
    2024-08-05T10:32:09.54+00:00

    @Manuel J. Gomez

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to configure MFA for users based on risky sign-in attempts to Azure resources.

    In Azure there is a feature called as Identity protection. Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation.

    In Identity protection, User and Sign-in risks are already defined and they are differentiated in multiple categories.

    You can follow below article to know more about the risks definitions,

    https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-detections-mapped-to-riskeventtype

    Now there are 2 types of detections,

    • Real time detections.
    • Offline detections.

    ID Protection utilizes techniques to increase the precision of user and sign-in risk detections by calculating some risks in real-time or offline after authentication. Detecting risk in real-time at sign-in gives the advantage of identifying risk early so that customers can quickly investigate the potential compromise. On detections that calculate risk offline, they can provide more insight as to how the threat actor gained access to the account and the impact on the legitimate user. Some detections can be triggered both offline and during sign-in, which increases confidence in being precise on the compromise.

    Detections triggered in real-time take 5-10 minutes to surface details in the reports. Offline detections take up to 48 hours to surface in the reports, as it takes time to evaluate properties of the potential risk.

    Yes, you can configure triggering alert and also sending notifications, when there is user risk or sign-in detected.

    https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-notifications

    To configure risk policies, you can refer below article,

    https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.