A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?
Trap 1: Modify the existing policy to include 'User risk level: Medium' and…
Modifying the existing policy to cover both high and medium user risk would require MFA for medium risk but would also remove the block for high risk (or require MFA for high risk, which is not the requirement). The policy cannot have different grant controls for different risk levels within the same policy.
Trap 2: Use Identity Protection's 'User risk policy' instead of Conditional…
Identity Protection's user risk policy uses the same risk levels but is applied globally. It cannot be scoped to specific departments (Finance) for the block action while requiring MFA for all users. Conditional Access is needed for the department scope.
Trap 3: Create a new Conditional Access policy with condition 'User risk…
Blocking access for medium user risk is more restrictive than required. The requirement is to require MFA, not block.
- A
Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
A separate policy for medium user risk applied to all users will require MFA when medium risk is detected. The existing policy will continue to block Finance users with high risk. Policy evaluation is not mutually exclusive; the block takes precedence for high risk, and the MFA requirement applies for medium risk.
- B
Modify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'
Why wrong: Modifying the existing policy to cover both high and medium user risk would require MFA for medium risk but would also remove the block for high risk (or require MFA for high risk, which is not the requirement). The policy cannot have different grant controls for different risk levels within the same policy.
- C
Use Identity Protection's 'User risk policy' instead of Conditional Access
Why wrong: Identity Protection's user risk policy uses the same risk levels but is applied globally. It cannot be scoped to specific departments (Finance) for the block action while requiring MFA for all users. Conditional Access is needed for the department scope.
- D
Create a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'
Why wrong: Blocking access for medium user risk is more restrictive than required. The requirement is to require MFA, not block.