Day-12: Risk-Based Conditional Access in Microsoft 365
๐ฏ Objective of Day-12
By the end of Day-12, you will be able to:
- Explain risk concepts clearly
- Design risk-based CA policies
- Understand automatic access blocking
- Respond confidently to security incidents
1๏ธโฃ What Is Risk in Microsoft 365?
Risk is a probability that an identity or device is compromised.
Microsoft calculates risk using:
- Sign-in behavior
- Device health
- Threat intelligence
- User activity patterns
2๏ธโฃ Types of Risk (Very Important)
๐น Sign-In Risk
Evaluates a specific login attempt.
Examples:
- Impossible travel
- Anonymous IP
- Suspicious login behavior
๐น User Risk
Evaluates overall user account compromise.
Examples:
- Credentials leaked
- Malware activity
- Password spray detection
๐น Device Risk
Evaluates endpoint security posture.
Source:
- Microsoft Defender for Endpoint
Examples:
- Malware detected
- Exploit behavior
- Outdated security state
3๏ธโฃ Where Risk Comes From
| Risk Type | Source |
|---|---|
| Sign-in risk | Entra ID Identity Protection |
| User risk | Entra ID + Microsoft threat intel |
| Device risk | Defender for Endpoint |
๐ Conditional Access consumes these signals โ it does not calculate them.
4๏ธโฃ Risk-Based Conditional Access Concept
Flow:
User attempts sign-in
โ
Risk evaluated (user / sign-in / device)
โ
Conditional Access policy triggered
โ
Access allowed, challenged, or blocked
5๏ธโฃ Common Risk-Based CA Policies
๐น Require MFA for Medium Risk
- Protects against stolen credentials
๐น Block High-Risk Sign-Ins
- Prevents account takeover
๐น Block High-Risk Devices
- Stops malware-infected endpoints
6๏ธโฃ Creating a Risk-Based CA Policy (Example)
Scenario: Block high sign-in risk
Steps:
- Entra Admin Center โ Conditional Access
- Create new policy
- Users โ Select users (exclude break-glass)
- Conditions โ Sign-in risk โ High
- Grant โ Block access
- Enable in Report-only first
7๏ธโฃ Report-Only Mode (Again โ Critical)
Always validate:
- Who would be blocked?
- Which apps affected?
- False positives?
๐ Risk-based CA without testing = outages.
8๏ธโฃ How Device Risk Works with CA
Device infected โ Defender reports High risk
โ
Intune syncs status
โ
CA evaluates device risk
โ
Access blocked automatically
๐ No admin action required.
9๏ธโฃ Real-World Scenario
Incident:
User laptop infected with malware.
What happens automatically:
- Defender flags device as High risk
- CA blocks M365 access
- SOC/admin remediates device
- Risk reduced
- Access restored
โ Fast
โ Automated
โ Secure
๐ Common Admin Mistakes
โ No Identity Protection enabled
โ No break-glass account
โ Applying block policies tenant-wide
โ Ignoring report-only results
1๏ธโฃ1๏ธโฃ Best Practices Checklist
โ Enable Identity Protection
โ Use report-only first
โ Exclude emergency accounts
โ Monitor sign-in logs daily
โ Document incident workflows
1๏ธโฃ2๏ธโฃ Zero Trust Alignment
Risk-based CA supports:
- Verify explicitly
- Assume breach
- Adaptive access control
๐ This is Zero Trust in action, not theory.
โ End of Day-12 Outcome
You can now:
โ Explain risk-based access clearly
โ Design adaptive CA policies
โ Respond to security incidents confidently
โ Connect Defender, Intune & Entra ID
๐ Day-13 Preview
Day-13: Incident Response in Microsoft 365
- Investigating sign-in incidents
- Using logs effectively
- Containment & recovery steps
- Admin + SOC collaboration