Block or Require MFA for Risky Sign-Ins for Energy & Utilities

Energy & Utilities organizations face specific regulatory requirements including nist-800-53, cis, iso27001. The CA-03 control helps address these requirements by:

• An Identity Protection sign-in risk policy is enabled
• High-risk sign-ins are blocked
• Medium-risk sign-ins require MFA

Microsoft analyzes each sign-in for anomalies (impossible travel, anonymous IP, malware-linked IPs). Risk-based policies automatically escalate protection when threats are detected, without user friction during normal access.

When implementing CA-03 in a energy & utilities environment, consider:

• **Regulatory requirements**: nist-800-53, cis, iso27001 may mandate specific configurations
• **Risk tolerance**: Energy & Utilities organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

CA-03 requires the following configuration:

• An Identity Protection sign-in risk policy is enabled
• High-risk sign-ins are blocked
• Medium-risk sign-ins require MFA

Creates sign-in risk policy in Identity Protection

With TrueConfig, you can implement this control automatically using our one-click remediation feature.