Information
Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the 'legacy method' for the following benefits:
Enhanced diagnostic data
Report-only mode integration
Graph API support
Use more Conditional Access attributes like sign-in frequency in the policy
Rationale:
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Impact:
When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.
Solution
To configure a Sign-In risk policy, use the following steps:
Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
Click expand Protection > Conditional Access select Policies.
Create a new policy by selecting New policy.
Set the following conditions within the policy.
Under Users or workload identities choose All users
Under Cloud apps or actions choose All cloud apps
Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium
Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication.
Under Session select Sign-in Frequency and set to Every time.
Click Select
You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
Click Create.
NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc