Block or Require MFA for Risky Sign-Ins for Education & Research

Education & Research organizations face specific regulatory requirements including cis, nist-800-53, soc2. The CA-03 control helps address these requirements by:

• An Identity Protection sign-in risk policy is enabled
• High-risk sign-ins are blocked
• Medium-risk sign-ins require MFA

Microsoft analyzes each sign-in for anomalies (impossible travel, anonymous IP, malware-linked IPs). Risk-based policies automatically escalate protection when threats are detected, without user friction during normal access.

When implementing CA-03 in a education & research environment, consider:

• **Regulatory requirements**: cis, nist-800-53, soc2 may mandate specific configurations
• **Risk tolerance**: Education & Research organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

CA-03 requires the following configuration:

• An Identity Protection sign-in risk policy is enabled
• High-risk sign-ins are blocked
• Medium-risk sign-ins require MFA

Creates sign-in risk policy in Identity Protection

With TrueConfig, you can implement this control automatically using our one-click remediation feature.