Risk-based access policies in Azure Active Directory

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

When a sign-in or user is detected to be at risk, access control policies can be used to protect the organization. These are known as risk-based policies.

Sign-in risk and User risk are the two risk conditions offered by Azure AD Conditional Access. By configuring these two risk conditions and selecting an access control method, organizations can create risk-based Conditional Access policies. Identity Protection sends the detected risk levels to Conditional Access during each sign-in, and the risk-based policies apply if the policy conditions are met.

For example, if an organization has a sign-in risk policy that requires multifactor authentication when the sign-in risk level is medium or high, as shown in the diagram below, their users must complete multifactor authentication when their sign-in risk is medium or high.

The preceding example also demonstrates a key advantage of a risk-based policy: automatic risk remediation. When a user completes the required access control, such as a secure password change, their risk is mitigated. That sign-in session and user account will not be jeopardized, and no action on the administrator’s part is required.

Allowing users to be self-remediate through this process reduces the risk investigation and remediation burden on administrators while protecting your organizations from security compromises. The article Remediate risks and unblock users contains more information on risk remediation.


risk-based Conditional Access policy

Identity Protection analyses hundreds of signals in real-time during each sign-in and calculates a sign-in risk level that represents the likelihood that the given authentication request is not authorized. This risk level is then sent to Conditional Access, which evaluates the organization’s configured policies. Administrators can set up sign-in risk-based Conditional Access policies to enforce access controls based on sign-in risks, such as:

  • Block access
  • Allow access
  • Require multifactor authentication

If risks are detected during a sign-in, users can perform the necessary access control, such as multifactor authentication, to self-remediate and close the risky sign-in event, reducing administrative noise.

User risk-based Conditional Access policy

Identity Protection analyses user account signals and assigns a risk score based on the likelihood that the user’s account has been compromised. Identity Protection will use these signals to calculate the user risk level if a user exhibits risky sign-in behavior or their credentials have been leaked. Administrators can set up user risk-based Conditional Access policies to enforce access controls based on user risk, such as:

  • Block access
  • Allow access but require a secure password change.

A secure password change will mitigate the user risk and close the risky user event, reducing administrative noise.

Identity Protection policies

While Identity Protection provides a user interface for creating user risk policies and sign-in risk policies, we strongly advise you to use Azure AD Conditional Access to create risk-based policies for the following reasons:

  • Conditional Access provides a rich set of conditions for controlling access, such as applications and locations, for configuration. The risk conditions, when combined with other conditions, can be used to create policies that best enforce your organization’s requirements.
  • Multiple risk-based policies can be implemented to target different user groups or apply different access controls for various risk levels.
  • Conditional Access policies can be created using the Microsoft Graph API and tested in report-only mode first.
  • Conditional Access allows you to manage all of your access policies in one place.

If you already have Identity Protection risk policies in place, we recommend that you convert them to Conditional Access.

Professional Labs is the Best Cloud Managed Services Provider Oman, for more details contact
Contact Us | Professional labs (prolabsit.com)