Block or Require MFA for Risky Sign-Ins for Professional Services & Consulting

Professional Services & Consulting organizations face specific regulatory requirements including soc2, iso27001, cis. The CA-03 control helps address these requirements by:

• An Identity Protection sign-in risk policy is enabled
• High-risk sign-ins are blocked
• Medium-risk sign-ins require MFA

Microsoft analyzes each sign-in for anomalies (impossible travel, anonymous IP, malware-linked IPs). Risk-based policies automatically escalate protection when threats are detected, without user friction during normal access.

When implementing CA-03 in a professional services & consulting environment, consider:

• **Regulatory requirements**: soc2, iso27001, cis may mandate specific configurations
• **Risk tolerance**: Professional Services & Consulting organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

CA-03 requires the following configuration:

• An Identity Protection sign-in risk policy is enabled
• High-risk sign-ins are blocked
• Medium-risk sign-ins require MFA

Creates sign-in risk policy in Identity Protection

With TrueConfig, you can implement this control automatically using our one-click remediation feature.