CA-03: Creating a Sign-In Risk-Based Policy
Overview
This guide walks you through creating a Conditional Access policy that responds to sign-in risk levels detected by Microsoft Entra ID Protection. This policy automatically escalates protection when Microsoft detects anomalous sign-in behavior such as impossible travel, anonymous IP addresses, or known malicious infrastructure.
Control ID: CA-03 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P2 (included in Microsoft 365 E5 or standalone Entra ID P2)
Why This Matters
Microsoft analyzes billions of sign-ins daily and uses machine learning to detect suspicious authentication patterns. Sign-in risk detection identifies threats like:
- Impossible travel - Sign-in from two distant locations within impossible timeframes
- Anonymous IP addresses - Sign-ins from Tor exit nodes or anonymous VPNs
- Malware-linked IP addresses - Known botnet command and control infrastructure
- Unfamiliar sign-in properties - Unusual device, browser, or location combinations
- Password spray attacks - Multiple failed attempts across accounts
Risk-based policies automatically respond to these threats without affecting legitimate users during normal access.
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended - least privilege)
- Security Administrator
- Global Administrator
Required Licenses
- Microsoft Entra ID P2 for each user in scope
- Included in: Microsoft 365 E5 or standalone Entra ID P2
Pre-Configuration Requirements
Before creating this policy:
- Verify P2 licensing - Sign-in risk detection requires Entra ID P2
- Emergency access accounts exist - Break-glass accounts must be excluded
- Users have MFA registered - High-risk sign-ins will require MFA
Time Estimate
| Task | Duration |
|---|---|
| Policy creation | 10-15 minutes |
| Report-only monitoring | 3-7 days (recommended) |
| Full enablement | 5 minutes |
| Total | 4-8 days including monitoring |
Step-by-Step Instructions
Step 1: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- In the left navigation, expand Protection
- Select Conditional Access
- Click Policies in the submenu
Step 2: Create a New Policy
- Click + New policy at the top of the policies list
- Enter a descriptive name:
Block or MFA for Risky Sign-Ins
Step 3: Configure Users and Groups
- Under Assignments, click Users
- Select All users under Include
- Under Exclude, click Users and groups
- Add your emergency access accounts
- Optionally add a pilot group exclusion for initial testing
Step 4: Configure Target Resources
- Under Target resources, click Cloud apps
- Select All cloud apps under Include
Step 5: Configure Sign-In Risk Condition
This is the key configuration for this policy:
- Under Conditions, click Sign-in risk
- Set Configure to Yes
- Select the risk levels to target:
Recommended Configuration:
- High - Block access
- Medium - Require MFA
Note: You will need to create two policies (one for High blocking, one for Medium MFA) OR use a single policy with MFA for both and rely on Identity Protection defaults for blocking.
Step 6: Configure Access Controls (Option A - Single Policy)
For a simpler approach, require MFA for Medium and High risk:
- Under Access controls, click Grant
- Select Grant access
- Check Require multifactor authentication
- Click Select
Note: This approach requires MFA for risky sign-ins but does not block them. For blocking high-risk sign-ins, see Option B.
Step 6: Configure Access Controls (Option B - Block High Risk)
To block high-risk sign-ins outright, create two policies:
Policy 1: Block High-Risk Sign-Ins
- Condition: Sign-in risk = High
- Grant: Block access
Policy 2: Require MFA for Medium-Risk Sign-Ins
- Condition: Sign-in risk = Medium
- Grant: Require multifactor authentication
Step 7: Enable the Policy
Recommended approach - Start with Report-only:
- Under Enable policy, select Report-only
- Click Create
- Monitor the Risky sign-ins report for 3-7 days
- Review false positive rates and impact
- Once validated, edit the policy and change to On
Understanding Sign-In Risk Levels
High Risk
Indicates a high probability the sign-in was not performed by the legitimate user.
Detection Examples:
- Sign-in from a known malicious IP address
- Impossible travel between distant locations
- Activity from Tor exit nodes with other suspicious indicators
Recommended Action: Block access or require password change + MFA
Medium Risk
Indicates a moderate probability of suspicious activity.
Detection Examples:
- Unfamiliar sign-in properties (new device/browser/location combination)
- Anonymous IP address usage
- Atypical travel patterns
Recommended Action: Require MFA to verify identity
Low Risk
Indicates minor anomalies that may warrant attention.
Detection Examples:
- Slightly unusual patterns
- Minor deviations from normal behavior
Recommended Action: Log and monitor (or require MFA in high-security environments)
Verification Checklist
After enabling the policy, verify successful implementation:
Immediate Checks
- Policy appears in the Conditional Access policies list with status "On" or "Report-only"
- Sign-in risk condition is properly configured (Medium, High selected)
- Emergency access accounts are listed in the exclusions
- Appropriate grant controls are configured
Identity Protection Dashboard
- Navigate to Entra admin center > Protection > Identity Protection
- Click Risky sign-ins to view detections
- Verify that risky sign-ins show your policy as applied
Sign-in Log Validation
- Navigate to Entra admin center > Monitoring > Sign-in logs
- Click on any sign-in and check the Conditional Access tab
- For risky sign-ins, verify your policy appears
Testing (Caution - Do Not Create Real Risks)
Note: Do not attempt to trigger sign-in risk artificially. Instead:
- Review the "Risky sign-ins" report for recent detections
- Validate that past risky sign-ins would have triggered the policy
- Use the "What If" tool with a simulated high-risk scenario
Troubleshooting
No Risky Sign-Ins Detected
Symptom: The Risky sign-ins report is empty.
Solutions:
- Verify Entra ID P2 licenses are assigned to users
- Risk detection can take 5-10 minutes to process
- Check the Risk detections report for raw detections
- Ensure Conditional Access is not blocking sign-ins before risk can be evaluated
False Positives - Legitimate Users Blocked
Symptom: Legitimate users are being flagged as high risk.
Solutions:
- Review the specific risk detections in Protection > Identity Protection > Risk detections
- Check if users are using VPNs or privacy tools that trigger detections
- Consider adding trusted locations to reduce false positives
- Document the dismiss reason for each false positive
Users Cannot Self-Remediate
Symptom: Users cannot complete MFA or password reset when prompted.
Solutions:
- Verify users have MFA methods registered
- Ensure SSPR (Self-Service Password Reset) is enabled
- Check if the user is blocked or disabled
- An admin may need to manually dismiss the risk or reset credentials
Policy Not Applied to Risky Sign-Ins
Symptom: High-risk sign-ins are succeeding without MFA.
Solutions:
- Verify the policy is set to "On" (not "Report-only")
- Check if the user is excluded from the policy
- Ensure the Sign-in risk condition is properly configured
- Review policy evaluation order with the "What If" tool
Policy Configuration Summary
Single Policy Approach
| Setting | Value |
|---|---|
| Policy Name | Block or MFA for Risky Sign-Ins |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions - Sign-in risk | Medium, High |
| Grant | Require multifactor authentication |
| Enable Policy | On |
Two-Policy Approach (Recommended)
Policy 1: Block High-Risk Sign-Ins
| Setting | Value |
|---|---|
| Policy Name | Block High-Risk Sign-Ins |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions - Sign-in risk | High |
| Grant | Block access |
| Enable Policy | On |
Policy 2: Require MFA for Medium-Risk Sign-Ins
| Setting | Value |
|---|---|
| Policy Name | Require MFA for Medium-Risk Sign-Ins |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions - Sign-in risk | Medium |
| Grant | Require multifactor authentication |
| Enable Policy | On |
Monitoring and Maintenance
Regular Reviews
- Weekly: Review the Risky sign-ins report for patterns
- Monthly: Analyze false positive rates and adjust if needed
- Quarterly: Review sign-in risk policies with security team
Risk Dismissal
When investigating false positives:
- Navigate to Protection > Identity Protection > Risky sign-ins
- Select the sign-in and click Confirm safe or Dismiss risk
- Document the reason for dismissal
Related Controls
- CA-04: Remediate High-Risk Users Automatically (user risk policy)
- CA-01: Require MFA for All Users (baseline policy)
- LOG-03: Stream Security Events to SIEM (for correlation)
- GOV-04: Automate Threat Response with SOAR (advanced automation)