CA-03HighEnhanced Security
Block or Require MFA for Risky Sign-Ins
Conditional Access control for Microsoft 365 and Entra ID
Why This Control Matters
Microsoft analyzes each sign-in for anomalies (impossible travel, anonymous IP, malware-linked IPs). Risk-based policies automatically escalate protection when threats are detected, without user friction during normal access.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1An Identity Protection sign-in risk policy is enabled
- 2High-risk sign-ins are blocked
- 3Medium-risk sign-ins require MFA
Enforcement
Default Mode
Auto-Remediate
Automatically fixes deviations when safe to do so
Auto-Remediation
Available
Creates sign-in risk policy in Identity Protection
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.