Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
There are two types of risk policies in Microsoft Entra Conditional Access you can set up. You can use these policies to automate the response to risks allowing users to self-remediate when risk is detected:

Prerequisites
- The Microsoft Entra ID P2 or Microsoft Entra Suite license is required for full access to Microsoft Entra ID Protection features.
- For a detailed list of capabilities for each license tier, see What is Microsoft Entra ID Protection.
 
- The Conditional Access Administrator role is the least privileged role required to create or edit Conditional Access policies.
Choosing acceptable risk levels
Organizations must decide the level of risk they want to require access control on balancing user experience and security posture.
Choosing to apply access control on a High risk level reduces the number of times a policy is triggered and minimizes friction for users. However, it excludes Low and Medium risks from the policy, which might not block an attacker from exploiting a compromised identity. Selecting a Low risk level to require access control introduces more user interrupts.
Configured trusted network locations are used by Microsoft Entra ID Protection in some risk detections to reduce false positives.
The policy configurations that follow include the sign-in frequency session control requiring a reauthentication for risky users and sign-ins.
Microsoft's recommendation
Microsoft recommends the following risk policy configurations to protect your organization:
- User risk policy
- Require a secure password change when user risk level is High. Microsoft Entra multifactor authentication is required before the user can create a new password with password writeback to remediate their risk.
- A secure password change using self-service password reset is the only way to self-remediate user risk, regardless of the risk level.
 
- Sign-in risk policy
- Require Microsoft Entra multifactor authentication when sign-in risk level is Medium or High, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.
- A successful multifactor authentication is the only way to self-remediate the sign-in risk, regardless of the risk level.
 
Requiring access control when risk level is low introduces more friction and user interrupts than medium or high. Choosing to block access rather than allowing self-remediation options, like secure password change and multifactor authentication, affect your users and administrators even more. Weigh these choices when configuring your policies.
Risk remediation
Organizations can choose to block access when risk is detected. Blocking sometimes stops legitimate users from doing what they need to. A better solution is to configure user and sign-in risk-based Conditional Access policies that allow users to self-remediate.
Warning
Users must register for Microsoft Entra multifactor authentication before they face a situation requiring remediation. For hybrid users that are synced from on-premises, password writeback must be enabled. Users not registered are blocked and require administrator intervention.
Password change (I know my password and want to change it to something new) outside of the risky user policy remediation flow doesn't meet the requirement for secure password change.
Enable policies
Organizations can choose to deploy risk-based policies in Conditional Access using the following steps or use Conditional Access templates.
Before organizations enable these policies, they should take action to investigate and remediate any active risks.
Policy exclusions
Conditional Access policies are powerful tools. We recommend excluding the following accounts from your policies:
- Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario where all administrators are locked out, your emergency access administrative account can be used to sign in and recover access.
- More information can be found in the article, Manage emergency access accounts in Microsoft Entra ID.
 
- Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are noninteractive accounts that aren't tied to any specific user. They're typically used by backend services to allow programmatic access to applications, but they're also used to sign in to systems for administrative purposes. Calls made by service principals aren't blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies that target service principals.
- If your organization uses these accounts in scripts or code, replace them with managed identities.
 
User risk policy in Conditional Access
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Select Done.
 
- Under Cloud apps or actions > Include, select All resources (formerly 'All cloud apps').
- Under Conditions > User risk, set Configure to Yes.
- Under Configure user risk levels needed for policy to be enforced, select High. This guidance is based on Microsoft recommendations and might be different for each organization
- Select Done.
 
- Under Access controls > Grant, select Grant access.
- Select Require authentication strength, then select the built-in Multifactor authentication authentication strength from the list.
- Select Require password change.
- Select Select.
 
- Under Session.
- Select Sign-in frequency.
- Ensure Every time is selected.
- Select Select.
 
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.
Passwordless scenarios
For organizations that adopt passwordless authentication methods make the following changes:
Update your passwordless user risk policy
- Under Users:
- Include, select Users and groups and target your passwordless users.
 
- Under Access controls > Block access for passwordless users.
Tip
You might need to have two policies for a period of time while deploying passwordless methods.
- One that allows self-remediation for those not using passwordless methods.
- Another that blocks passwordless users at high risk.
Remediate and unblock passwordless user risk
- Require administrator investigation and remediation of any risk.
- Unblock the user.
Sign-in risk policy in Conditional Access
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Select Done.
 
- Under Cloud apps or actions > Include, select All resources (formerly 'All cloud apps').
- Under Conditions > Sign-in risk, set Configure to Yes.
- Under Select the sign-in risk level this policy will apply to, select High and Medium. This guidance is based on Microsoft recommendations and might be different for each organization
- Select Done.
 
- Under Access controls > Grant, select Grant access.
- Select Require authentication strength, then select the built-in Multifactor authentication authentication strength from the list.
- Select Select.
 
- Under Session.
- Select Sign-in frequency.
- Ensure Every time is selected.
- Select Select.
 
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.
Passwordless scenarios
For organizations that adopt passwordless authentication methods make the following changes:
Update your passwordless sign-in risk policy
- Under Users:
- Include, select Users and groups and target your passwordless users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Select Done.
 
- Under Cloud apps or actions > Include, select All resources (formerly 'All cloud apps').
- Under Conditions > Sign-in risk, set Configure to Yes.
- Under Select the sign-in risk level this policy will apply to, select High and Medium. For more information on risk levels, see Choosing acceptable risk levels.
- Select Done.
 
- Under Access controls > Grant, select Grant access.
- Select Require authentication strength, then select the built-in Passwordless MFA or Phishing-resistant MFA based on which method the targeted users have.
- Select Select.
 
- Under Session:
- Select Sign-in frequency.
- Ensure Every time is selected.
- Select Select.
 
Migrate risk policies to Conditional Access
If you have legacy risk policies enabled in Microsoft Entra ID Protection, you should plan to migrate them to Conditional Access:
Warning
The legacy risk policies configured in Microsoft Entra ID Protection will be retired on October 1, 2026.
Migrate to Conditional Access
- Create equivalent user risk-based and sign-in risk-based policies in Conditional Access in report-only mode. You can create a policy with the previous steps or using Conditional Access templates based on Microsoft's recommendations and your organizational requirements.
- After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
 
- Disable the old risk policies in ID Protection.
- Browse to ID Protection > Dashboard > Select the User risk or Sign-in risk policy.
- Set Enforce policy to Disabled.
 
- Create other risk policies if needed in Conditional Access.