This chapter covers Azure AD Identity Protection Risk Policies, a critical component of identity security in Microsoft Entra ID. For the AZ-104 exam, understanding risk policies is essential as it directly maps to domain 'Identity Governance' and objective 1.1. Approximately 10-15% of exam questions touch on identity protection, risk policies, and related conditional access. You will learn how to configure user risk and sign-in risk policies, interpret risk detections, and integrate with Conditional Access to protect your Azure AD tenant.
Jump to a section
Imagine a bank with a security guard at the entrance. The guard has a watchlist of suspicious behaviors: someone entering with a ski mask, someone trying to open the vault without authorization, or someone using a keycard that was reported stolen. When a person approaches, the guard checks their appearance and actions against the watchlist. If a match is found, the guard triggers an alarm and blocks entry; otherwise, the person is allowed in. The guard also has a list of trusted customers who have pre-approved access, but if a trusted customer suddenly tries to enter at 3 AM, that raises a flag. This is exactly how Azure AD Identity Protection Risk Policies work: they define conditions (risk level) and actions (block access or require MFA). The 'watchlist' is the risk detection signals from Microsoft's threat intelligence. The guard's decision is the policy enforcement. Just as the guard can escalate to a manager (admin), the policy can require user to self-remediate or trigger an admin alert.
What is Identity Protection and Why It Exists
Azure AD Identity Protection is a feature of Microsoft Entra ID that detects, investigates, and remediates identity-based risks. It uses machine learning and Microsoft's vast threat intelligence to identify suspicious activities such as leaked credentials, impossible travel, anonymous IP addresses, and atypical sign-ins. Risk policies are automated responses to these detections, allowing administrators to block access or force additional verification (like MFA) when a certain risk level is detected. The goal is to prevent attackers from exploiting compromised identities before damage occurs.
How It Works Internally
Identity Protection operates by analyzing sign-in events and user behavior in real-time. It assigns a risk level (Low, Medium, High) to each sign-in and to each user based on aggregated detections. The risk level is calculated using a combination of real-time and offline detections. Real-time detections happen at the time of sign-in (e.g., anonymous IP address), while offline detections are processed later (e.g., leaked credentials). The risk levels are:
Low: Minimal risk, likely benign.
Medium: Some suspicion, but not conclusive.
High: Strong evidence of compromise.
When a policy is configured, it evaluates these risk levels. For example, a sign-in risk policy might be set to 'Medium and above' to require MFA. The policy is enforced during the authentication process via Conditional Access. Conditional Access evaluates the policy conditions (including risk level) and then applies controls (grant access, require MFA, block access).
Key Components, Values, Defaults, and Timers
- User Risk Policy: Targets users who have been flagged as compromised. Default risk level is 'High'. Actions: Block access or allow access with password change. - Sign-in Risk Policy: Targets individual sign-in attempts. Default risk level is 'Medium and above'. Actions: Block access or allow access with MFA. - Risk Detections: There are two types: - Real-time: Detected during sign-in (e.g., anonymous IP address, atypical travel, unfamiliar sign-in properties, malware linked IP address, password spray, brute force attack). - Offline: Detected after sign-in (e.g., leaked credentials, impossible travel, suspicious inbox forwarding rules, mass access to sensitive files). - Risk Levels: Low, Medium, High. Also 'No risk' and 'Unknown'. - Investigation: Administrators can review risk detections in the Azure portal under 'Security' > 'Identity Protection' > 'Risk detections'. Each detection includes details like detection timing, risk level, and whether it was real-time or offline. - Remediation: Users can self-remediate by performing MFA or changing password. Admins can dismiss risk or confirm compromise. - Timers: Risk detections are stored for up to 30 days. User risk is calculated based on detections within a rolling window (typically 14 days).
Configuration and Verification Commands
Policies are configured in the Azure portal under 'Azure Active Directory' > 'Security' > 'Identity Protection' > 'User risk policy' or 'Sign-in risk policy'. Alternatively, using Microsoft Graph API or PowerShell:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "IdentityRiskEvent.Read.All", "IdentityRiskEvent.ReadWrite.All"
# Get user risk policies
Get-MgIdentityProtectionUserRiskPolicy
# Update user risk policy to block high risk users
Update-MgIdentityProtectionUserRiskPolicy -UserRiskPolicyId "policy-id" -IsEnabled $true -RiskLevelForRisk "high" -GrantControls @{operator="OR"; builtInControls=@("block")}For sign-in risk policy:
# Get sign-in risk policy
Get-MgIdentityProtectionSignInRiskPolicy
# Update to require MFA for medium and above
Update-MgIdentityProtectionSignInRiskPolicy -SignInRiskPolicyId "policy-id" -IsEnabled $true -RiskLevelForRisk "medium","high" -GrantControls @{operator="OR"; builtInControls=@("mfa")}How It Interacts with Related Technologies
Identity Protection integrates tightly with Conditional Access. Conditional Access policies can include 'Sign-in risk' and 'User risk' as conditions. This allows combining risk with other signals like location, device compliance, and application sensitivity. For example, a policy might require MFA for high-risk sign-ins but only from non-compliant devices. Additionally, Identity Protection feeds into Microsoft Defender for Cloud Apps for session control and investigation. It also integrates with Microsoft Sentinel for advanced threat hunting.
Common Traps and Misconfigurations
Trap: Setting user risk policy to 'Block access' without providing a way for legitimate users to recover. If a legitimate user is incorrectly flagged as high risk, they will be permanently blocked. Solution: Use 'Allow access with password change' instead, which forces the user to change their password and reduces their risk.
Trap: Enabling both user risk and sign-in risk policies without understanding the difference. User risk is about the account's history, sign-in risk is about the current session. Both can be used together.
Trap: Not testing policies with a small pilot group first. Always use 'Report-only' mode in Conditional Access to evaluate impact before enabling.
Exam-Relevant Numbers and Terms
Default risk level for user risk policy: High
Default risk level for sign-in risk policy: Medium and above
Risk detection types: 12+ types including 'Leaked Credentials', 'Impossible Travel', 'Anonymous IP address', etc.
Remediation actions: Block, Allow with MFA, Allow with password change
Policy states: Enabled, Disabled, Report-only (via Conditional Access)
Licensing: Azure AD Premium P2 required for Identity Protection.
Enable Identity Protection
Before configuring risk policies, ensure your tenant has Azure AD Premium P2 licenses assigned to all users. Navigate to Azure Active Directory > Security > Identity Protection. If not already enabled, you may need to enable the service. This step is typically automatic with P2 licensing, but verify that risk detections are being recorded. You can check by reviewing recent risk detections in the same blade.
Review Risk Detections
Go to Azure Active Directory > Security > Identity Protection > Risk detections. Here you will see a list of detections with details such as detection timing, risk level, user, sign-in activity, and detection type. Familiarize yourself with the different detection types: Leaked Credentials, Impossible Travel, Anonymous IP address, Unfamiliar sign-in properties, etc. Understanding these helps in configuring appropriate policies.
Configure User Risk Policy
In Identity Protection, select 'User risk policy'. Set the assignment to 'All users' or specific groups. Choose the risk level threshold: Low, Medium, or High. For production, start with 'High' to minimize false positives. Under 'Access', choose 'Allow access' and 'Require password change' (recommended) or 'Block access'. Save the policy. This policy will trigger when a user's risk level reaches the threshold based on accumulated detections.
Configure Sign-in Risk Policy
Similarly, configure 'Sign-in risk policy'. Set assignment to all users or specific groups. Choose risk level: Low, Medium, or High. For production, start with 'Medium and above'. Under 'Access', choose 'Allow access' and 'Require multifactor authentication' (recommended) or 'Block access'. Save. This policy triggers on each sign-in attempt if the sign-in risk level meets the threshold.
Integrate with Conditional Access
For finer control, create a Conditional Access policy that includes 'Sign-in risk' or 'User risk' as conditions. For example, go to Azure Active Directory > Security > Conditional Access > New policy. Assign to users and apps. Under 'Conditions', select 'Sign-in risk' and configure the risk level. Under 'Grant', choose 'Require multifactor authentication'. Set policy to 'Report-only' initially to test. Once validated, enable it. This allows combining risk with other conditions like location or device state.
Monitor and Remediate
After policies are enabled, monitor risk detections and user risk levels. Use the 'Risky users' and 'Risk detections' reports. For users flagged as high risk, you can manually dismiss the risk if it's a false positive, or confirm compromise. Users can self-remediate by performing MFA or password change. Regularly review and adjust risk level thresholds based on false positive rates.
Enterprise Scenario 1: Protecting Against Leaked Credentials
A large enterprise with 50,000 users uses Azure AD Identity Protection to detect leaked credentials. They enable the user risk policy set to 'High' and require password change. When a user's credentials appear on the dark web, Identity Protection flags the user as high risk. The next time the user signs in, they are forced to change their password. This prevents attackers from using stolen credentials. In production, the admin must ensure that the password change flow works seamlessly with self-service password reset (SSPR) enabled. A common misconfiguration is not enabling SSPR, causing users to be stuck and call helpdesk. Scale considerations: For large tenants, risk detections may have a delay of up to 15 minutes for offline detections. The admin should monitor the 'Risky users' report daily to handle false positives.
Enterprise Scenario 2: Blocking Impossible Travel Attacks
A global company with users traveling frequently uses sign-in risk policy to block impossible travel detections. Impossible travel occurs when a user signs in from two locations too far apart given the time difference. The policy is set to 'Medium and above' and 'Block access'. A real-world example: A user signs in from New York, then 10 minutes later from Tokyo. The sign-in risk policy blocks the second sign-in. However, legitimate users who use VPNs may trigger false positives. To mitigate, the admin can add trusted locations (corporate IP ranges) to Conditional Access and exclude those locations from the risk policy. The admin must also educate users about the policy to avoid frustration. Performance: The detection is real-time for impossible travel, so blocking happens immediately.
Enterprise Scenario 3: Requiring MFA for Anonymous IP Addresses
A company wants to require MFA when users sign in from anonymous IP addresses (e.g., Tor, VPN). They create a Conditional Access policy with condition 'Sign-in risk' set to 'Medium and above' and grant control 'Require MFA'. This policy is applied to all users. In production, the admin must ensure that MFA is already registered for all users. If a user has not registered, they will be blocked. The admin should set up a registration campaign to encourage MFA enrollment. A common mistake is not excluding emergency access accounts (break-glass accounts) from the policy, potentially locking out admins. The admin should also use 'Report-only' mode initially to see how many sign-ins would be affected.
AZ-104 Exam Focus on Identity Protection Risk Policies
The AZ-104 exam objective 1.1 'Manage identities in Microsoft Entra ID' includes configuring and managing Identity Protection. Specifically, you need to know:
The difference between user risk and sign-in risk policies.
The default risk levels: User risk policy defaults to 'High', sign-in risk policy defaults to 'Medium and above'.
The actions available: Block, Allow with MFA (sign-in risk), Allow with password change (user risk).
How risk policies integrate with Conditional Access.
The licensing requirement: Azure AD Premium P2.
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'User risk policy blocks access to applications for high-risk users.' Why chosen: Candidates confuse user risk policy with sign-in risk policy. Actually, user risk policy can block access or require password change, but the typical recommended action is password change, not blocking.
Wrong answer: 'Sign-in risk policy requires password change.' Why chosen: Candidates mix up the actions. Sign-in risk policy actions are block or require MFA, not password change.
Wrong answer: 'Risk policies are available with Azure AD Premium P1.' Why chosen: P1 includes Conditional Access but not Identity Protection. P2 is required for risk policies.
Wrong answer: 'Risk levels are Low, Medium, High, and Critical.' Why chosen: There is no 'Critical' risk level. The levels are Low, Medium, High, plus 'No risk' and 'Unknown'.
Specific Numbers and Terms That Appear on the Exam
Risk detection types: 'Leaked Credentials', 'Impossible Travel', 'Anonymous IP address', 'Unfamiliar sign-in properties', 'Password Spray', 'Brute Force Attack', 'Malware linked IP address', 'Atypical travel', 'Suspicious inbox forwarding rules', 'Mass access to sensitive files'.
Default risk level for user risk policy: High.
Default risk level for sign-in risk policy: Medium and above.
Actions: 'Block access', 'Allow access with password change', 'Allow access with MFA'.
Licensing: Azure AD Premium P2.
Integration: Conditional Access, Microsoft Defender for Cloud Apps, Microsoft Sentinel.
Edge Cases and Exceptions
If a user is flagged as high risk but the policy is set to 'Allow access with password change', the user must change password at next sign-in. If the user does not change password, the risk remains.
Risk policies can be scoped to specific users or groups, not just all users.
Report-only mode is available via Conditional Access, not directly in Identity Protection policies.
Identity Protection does not protect against all attacks; it only detects known patterns.
Risk detections can be dismissed manually by an admin, but that does not prevent future detections.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When faced with a question about risk policy actions, recall that user risk is about the account's history, so the remediation is password change. Sign-in risk is about the current session, so the remediation is MFA (or block). If the question mentions 'detected during sign-in', it's sign-in risk. If it mentions 'leaked credentials', it's user risk. Use these clues to eliminate incorrect options.
Identity Protection requires Azure AD Premium P2 licensing.
User risk policy default threshold: High; sign-in risk policy default threshold: Medium and above.
User risk policy actions: Block or Require password change. Sign-in risk policy actions: Block or Require MFA.
Risk detection types include Leaked Credentials, Impossible Travel, Anonymous IP address, and more.
Risk policies integrate with Conditional Access for advanced conditions like location or device.
Always use Report-only mode in Conditional Access before enabling risk policies.
Emergency access accounts should be excluded from risk policies to avoid lockout.
These come up on the exam all the time. Here's how to tell them apart.
User Risk Policy
Targets the user account's overall risk level based on historical detections.
Default risk level threshold: High.
Actions: Block access or Allow access with password change.
Triggers at next sign-in after risk level reaches threshold.
Remediation reduces user risk level (e.g., password change resets risk).
Sign-in Risk Policy
Targets each individual sign-in attempt based on real-time and offline detections.
Default risk level threshold: Medium and above.
Actions: Block access or Allow access with MFA.
Evaluated during the sign-in process.
Remediation (MFA) does not reduce user risk level, only confirms the session.
Mistake
User risk policy blocks access by default.
Correct
The default action for user risk policy is 'Allow access with password change', not block. Blocking is an option but not recommended as it can lock out legitimate users.
Mistake
Sign-in risk policy can require password change.
Correct
Sign-in risk policy actions are limited to 'Block access' or 'Allow access with MFA'. Password change is only for user risk policy.
Mistake
Identity Protection is available with any Azure AD license.
Correct
Identity Protection requires Azure AD Premium P2. P1 only provides Conditional Access but not risk detections or policies.
Mistake
Risk levels are Low, Medium, High, and Critical.
Correct
The risk levels are Low, Medium, High, plus 'No risk' and 'Unknown'. There is no 'Critical' level.
Mistake
Risk policies can be applied to individual applications.
Correct
Risk policies are tenant-wide and apply to all applications. To scope to specific apps, use Conditional Access policies with risk conditions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
User risk is a cumulative risk level assigned to a user based on multiple detections over time (e.g., leaked credentials). Sign-in risk is a risk level assigned to a single sign-in attempt based on real-time signals (e.g., anonymous IP). User risk policy triggers on the user's risk level, while sign-in risk policy triggers on each sign-in. For example, a user with high user risk will be forced to change password at next sign-in, while a sign-in with medium risk may require MFA.
For user risk policy: 'Block access' or 'Allow access with password change'. For sign-in risk policy: 'Block access' or 'Allow access with MFA'. Note that 'Allow access with password change' is only for user risk, and 'Allow access with MFA' is only for sign-in risk.
Use Conditional Access 'Report-only' mode. Create a Conditional Access policy with risk conditions and set it to 'Report-only'. This logs what would happen without enforcing. Review the sign-in logs to see impact. Alternatively, you can assign the policy to a small test group first.
Azure AD Premium P2 is required for Identity Protection features including risk policies, risk detections, and user risk/sign-in risk. Without P2, you cannot configure these policies.
Yes, when configuring the policy, you can include or exclude users and groups. It is recommended to exclude emergency access (break-glass) accounts to prevent lockout.
The user will see a message that sign-in was blocked due to security risk. They can contact their admin to be unblocked. Admins can review the risk detection and either dismiss the risk or confirm compromise. If the risk is dismissed, the user can sign in again.
Real-time detections are available immediately. Offline detections (like leaked credentials) may take up to 15 minutes to appear. User risk is recalculated periodically (typically within hours).
You've just covered Identity Protection Risk Policies — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?