CA-03: Block or Require MFA for Risky Sign-Ins

Frequently asked questions about implementing and managing the CA-03 security control in Microsoft 365 and Entra ID.

Q
What is CA-03 (Block or Require MFA for Risky Sign-Ins)?
A

CA-03 is a security control that microsoft analyzes each sign-in for anomalies (impossible travel, anonymous ip, malware-linked ips). risk-based policies automatically escalate protection when threats are detected, without user friction during normal access. It requires that an identity protection sign-in risk policy is enabled and high-risk sign-ins are blocked, medium-risk sign-ins require mfa.

Related controls:CA-03
Q
Why is Block or Require MFA for Risky Sign-Ins important for Microsoft 365 security?
A

Microsoft analyzes each sign-in for anomalies (impossible travel, anonymous IP, malware-linked IPs). Risk-based policies automatically escalate protection when threats are detected, without user friction during normal access.

Related controls:CA-03
Q
How do I implement CA-03 in my tenant?
A

TrueConfig provides one-click remediation for CA-03. Creates sign-in risk policy in Identity Protection

Related controls:CA-03
Q
What license do I need for CA-03?
A

This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.

Related controls:CA-03
Q
Which security baseline includes CA-03?
A

CA-03 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.

Related controls:CA-03

5

Questions

1

Related Controls

Categorized

Related Resources

CA-03 Control Reference

Detailed documentation and implementation guidance

Conditional Access Controls

All controls in the Conditional Access category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →