Conditional Access & Zero TrustRisk-Based Conditional Access

Risk-Based Conditional Access

30 mins

Understanding the Concept

Microsoft Entra Identity Protection detects risk signals in real-time and assigns risk levels to sign-ins and users. Conditional Access policies can use these risk levels to dynamically adjust access requirements - for example, requiring MFA for medium-risk sign-ins and blocking high-risk ones.

Sign-in risk assesses the probability that a given sign-in was not performed by the legitimate user. Signals include anonymous IP addresses, atypical travel, malware-linked IPs, and token anomalies. User risk represents the probability that a user's identity has been compromised.

Risk-based policies create an adaptive security posture that automatically responds to threats. Low-risk sign-ins proceed normally, medium-risk ones require additional verification, and high-risk ones are blocked until remediated. This balances security with productivity.

Key Points

  • Sign-in risk: Real-time assessment of each authentication attempt
  • User risk: Cumulative risk score based on compromised credentials, anomalies
  • Risk levels: None, Low, Medium, High - set by Identity Protection
  • Remediation: Force password change or MFA for risky users/sign-ins
  • Identity Protection requires Entra ID P2 license

Risk-Based Policy Flow

Step 1

Signal Collection

Billions of signals analyzed: IP, behavior, leaked credentials

Step 2

Risk Calculation

ML models determine sign-in and user risk levels

Step 3

Policy Match

CA policy evaluates risk level against configured threshold

Step 4

Adaptive Response

Allow, MFA, password change, or block based on risk

Step 5

Remediation

User self-remediates or admin investigates and resolves

Why This Matters in Real Organizations

Static security policies apply the same controls regardless of risk level. Risk-based policies adapt in real-time, providing stronger security when threats are detected while reducing friction during normal operations. Organizations using risk-based CA see 60% fewer successful account compromises.

Common Mistakes to Avoid

Setting risk thresholds too low, causing excessive MFA prompts for low-risk events
Not configuring user risk remediation (password change) alongside sign-in risk policies
Ignoring risk detections in the Identity Protection dashboard
Not understanding that risk-based policies require P2 licensing

Interview Tips

  • Explain the difference between sign-in risk and user risk
  • Discuss how risk-based policies create adaptive security
  • Mention the types of risk detections Identity Protection can identify

Exam Tips (SC-300)

  • Know sign-in risk vs user risk and their risk levels
  • Understand risk remediation options (password change, MFA)
  • Know that risk-based CA requires Entra ID P2

Course Complete!

You've finished all lessons

Previous|Next|HHome