{"id":363,"date":"2026-02-19T15:45:34","date_gmt":"2026-02-19T15:45:34","guid":{"rendered":"https:\/\/myallcodes.in\/?p=363"},"modified":"2026-02-19T15:45:35","modified_gmt":"2026-02-19T15:45:35","slug":"day-12-risk-based-conditional-access-deep-admin-guide","status":"publish","type":"post","link":"https:\/\/myallcodes.in\/index.php\/2026\/02\/19\/day-12-risk-based-conditional-access-deep-admin-guide\/","title":{"rendered":"Day-12: Risk-Based Conditional Access (Deep Admin Guide)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>Day-12: Risk-Based Conditional Access in Microsoft 365<\/strong><\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83c\udfaf Objective of Day-12<\/h2>\n\n\n\n<p>By the end of Day-12, you will be able to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Explain risk concepts clearly<\/li>\n\n\n\n<li>Design risk-based CA policies<\/li>\n\n\n\n<li>Understand automatic access blocking<\/li>\n\n\n\n<li>Respond confidently to security incidents<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">1\ufe0f\u20e3 What Is Risk in Microsoft 365?<\/h2>\n\n\n\n<p>Risk is a <strong>probability that an identity or device is compromised<\/strong>.<\/p>\n\n\n\n<p>Microsoft calculates risk using:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sign-in behavior<\/li>\n\n\n\n<li>Device health<\/li>\n\n\n\n<li>Threat intelligence<\/li>\n\n\n\n<li>User activity patterns<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2\ufe0f\u20e3 Types of Risk (Very Important)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd39 Sign-In Risk<\/h3>\n\n\n\n<p>Evaluates <strong>a specific login attempt<\/strong>.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Impossible travel<\/li>\n\n\n\n<li>Anonymous IP<\/li>\n\n\n\n<li>Suspicious login behavior<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd39 User Risk<\/h3>\n\n\n\n<p>Evaluates <strong>overall user account compromise<\/strong>.<\/p>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credentials leaked<\/li>\n\n\n\n<li>Malware activity<\/li>\n\n\n\n<li>Password spray detection<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd39 Device Risk<\/h3>\n\n\n\n<p>Evaluates <strong>endpoint security posture<\/strong>.<\/p>\n\n\n\n<p>Source:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Defender for Endpoint<\/li>\n<\/ul>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malware detected<\/li>\n\n\n\n<li>Exploit behavior<\/li>\n\n\n\n<li>Outdated security state<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3\ufe0f\u20e3 Where Risk Comes From<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Risk Type<\/th><th>Source<\/th><\/tr><\/thead><tbody><tr><td>Sign-in risk<\/td><td>Entra ID Identity Protection<\/td><\/tr><tr><td>User risk<\/td><td>Entra ID + Microsoft threat intel<\/td><\/tr><tr><td>Device risk<\/td><td>Defender for Endpoint<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\ud83d\udccc Conditional Access consumes these signals \u2014 it does not calculate them.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4\ufe0f\u20e3 Risk-Based Conditional Access Concept<\/h2>\n\n\n\n<p>Flow:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User attempts sign-in\n   \u2193\nRisk evaluated (user \/ sign-in \/ device)\n   \u2193\nConditional Access policy triggered\n   \u2193\nAccess allowed, challenged, or blocked\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5\ufe0f\u20e3 Common Risk-Based CA Policies<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd39 Require MFA for Medium Risk<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protects against stolen credentials<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd39 Block High-Risk Sign-Ins<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prevents account takeover<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd39 Block High-Risk Devices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stops malware-infected endpoints<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6\ufe0f\u20e3 Creating a Risk-Based CA Policy (Example)<\/h2>\n\n\n\n<p><strong>Scenario:<\/strong> Block high sign-in risk<\/p>\n\n\n\n<p><strong>Steps:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Entra Admin Center \u2192 Conditional Access<\/li>\n\n\n\n<li>Create new policy<\/li>\n\n\n\n<li>Users \u2192 Select users (exclude break-glass)<\/li>\n\n\n\n<li>Conditions \u2192 Sign-in risk \u2192 High<\/li>\n\n\n\n<li>Grant \u2192 Block access<\/li>\n\n\n\n<li>Enable in <strong>Report-only<\/strong> first<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7\ufe0f\u20e3 Report-Only Mode (Again \u2014 Critical)<\/h2>\n\n\n\n<p>Always validate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Who would be blocked?<\/li>\n\n\n\n<li>Which apps affected?<\/li>\n\n\n\n<li>False positives?<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udccc Risk-based CA without testing = outages.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8\ufe0f\u20e3 How Device Risk Works with CA<\/h2>\n\n\n\n<p>Device infected \u2192 Defender reports <strong>High risk<\/strong><br>\u2193<br>Intune syncs status<br>\u2193<br>CA evaluates device risk<br>\u2193<br>Access blocked automatically<\/p>\n\n\n\n<p>\ud83d\udccc No admin action required.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9\ufe0f\u20e3 Real-World Scenario<\/h2>\n\n\n\n<p><strong>Incident:<\/strong><br>User laptop infected with malware.<\/p>\n\n\n\n<p><strong>What happens automatically:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender flags device as High risk<\/li>\n\n\n\n<li>CA blocks M365 access<\/li>\n\n\n\n<li>SOC\/admin remediates device<\/li>\n\n\n\n<li>Risk reduced<\/li>\n\n\n\n<li>Access restored<\/li>\n<\/ul>\n\n\n\n<p>\u2714 Fast<br>\u2714 Automated<br>\u2714 Secure<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd1f Common Admin Mistakes<\/h2>\n\n\n\n<p>\u274c No Identity Protection enabled<br>\u274c No break-glass account<br>\u274c Applying block policies tenant-wide<br>\u274c Ignoring report-only results<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">1\ufe0f\u20e31\ufe0f\u20e3 Best Practices Checklist<\/h2>\n\n\n\n<p>\u2714 Enable Identity Protection<br>\u2714 Use report-only first<br>\u2714 Exclude emergency accounts<br>\u2714 Monitor sign-in logs daily<br>\u2714 Document incident workflows<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">1\ufe0f\u20e32\ufe0f\u20e3 Zero Trust Alignment<\/h2>\n\n\n\n<p>Risk-based CA supports:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verify explicitly<\/li>\n\n\n\n<li>Assume breach<\/li>\n\n\n\n<li>Adaptive access control<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udccc This is Zero Trust <strong>in action<\/strong>, not theory.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 End of Day-12 Outcome<\/h2>\n\n\n\n<p>You can now:<br>\u2714 Explain risk-based access clearly<br>\u2714 Design adaptive CA policies<br>\u2714 Respond to security incidents confidently<br>\u2714 Connect Defender, Intune &amp; Entra ID<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd1c <strong>Day-13 Preview<\/strong><\/h2>\n\n\n\n<p><strong>Day-13: Incident Response in Microsoft 365<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Investigating sign-in incidents<\/li>\n\n\n\n<li>Using logs effectively<\/li>\n\n\n\n<li>Containment &amp; recovery steps<\/li>\n\n\n\n<li>Admin + SOC collaboration<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Day-12: Risk-Based Conditional Access in Microsoft 365 \ud83c\udfaf Objective of Day-12 By the end of Day-12, you will be able to: 1\ufe0f\u20e3 What Is Risk in Microsoft 365? Risk is a probability that an identity or device is compromised. Microsoft calculates risk using: 2\ufe0f\u20e3 Types of Risk (Very Important) \ud83d\udd39 Sign-In Risk Evaluates a specific\u2026 <span class=\"read-more\"><a href=\"https:\/\/myallcodes.in\/index.php\/2026\/02\/19\/day-12-risk-based-conditional-access-deep-admin-guide\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-363","post","type-post","status-publish","format-standard","hentry","category-power-shell-scripts"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/posts\/363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/comments?post=363"}],"version-history":[{"count":1,"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/posts\/363\/revisions"}],"predecessor-version":[{"id":364,"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/posts\/363\/revisions\/364"}],"wp:attachment":[{"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/media?parent=363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/categories?post=363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myallcodes.in\/index.php\/wp-json\/wp\/v2\/tags?post=363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}