Back to GSO Recommendations

Block High-Risk Sign-Ins: Compromised Sign-In Protection

Why this risk matters

Microsoft Entra ID Protection uses machine learning across billions of sign-in events to assign a risk level — low, medium, or high — to each authentication attempt. High-risk sign-ins are those that exhibit strong signals of compromise: impossible travel, sign-in from anonymous IPs, malware-linked IP addresses, unfamiliar sign-in properties, or credentials leaked in third-party data breaches.

A Conditional Access policy that blocks high-risk sign-ins acts as an automatic response to these signals, preventing access before an analyst has to review the event. Without this policy, a high-risk sign-in event is recorded in the logs but nothing stops the attacker from accessing the account. With it, the sign-in is blocked at the door and the user is prompted to take a secure recovery action.

This is one of the most impactful Conditional Access policies available — it turns Microsoft's threat intelligence into an automated enforcement action rather than a passive alert.

What happens if this is abused

  • Sign-in attempts flagged as high-risk by Microsoft's identity protection ML succeed without any additional challenge or block
  • Credentials leaked in third-party breaches allow attacker access even when Microsoft has already detected the credential exposure
  • Sign-ins from anonymous proxies, Tor exit nodes, or malware-linked infrastructure proceed without restriction
  • Impossible travel events — a clear signal of either token theft or simultaneous use from different locations — are logged but not blocked
  • Security teams see the risk events in the portal but have no automated response in place, relying entirely on manual review to catch active compromises

When this is expected or acceptable

For most organisations, blocking high-risk sign-ins should apply universally. Some nuances:

  • Organisations with a very small team where the security lead wants to manually review each high-risk event before blocking may prefer a step-up MFA requirement rather than an outright block — though this creates a response-time dependency
  • Users who travel frequently or use VPNs may see elevated false positive rates — monitor these after enforcement and review whether named locations or trusted IPs need to be configured
  • Licensing note: Microsoft Entra ID Protection (sign-in risk policies) requires Entra ID P2 or Microsoft 365 E5 licences. Confirm licensing before enforcing.

Checks to perform before taking action

  • Confirm that Entra ID P2 or equivalent licensing is in place for all users in scope
  • In Entra ID Protection > Risk detections, review current high-risk sign-in events to understand the existing risk landscape before enforcing a block
  • Check the Risky sign-ins report to identify false positives (e.g. legitimate VPN usage, travel) that could result in legitimate users being blocked
  • Configure named locations for known corporate IP ranges and VPN exit nodes to reduce false positives
  • Deploy in Report-only mode via Conditional Access and review which sign-ins would have been blocked over a 7–14 day period
  • Confirm a self-service password reset and MFA re-registration pathway is in place so blocked users can recover without calling the helpdesk

Safe remediation steps

  1. Create a Conditional Access policy scoped to All users, targeting sign-in risk level of High
  2. Set the grant control to Block access
  3. Deploy in Report-only mode and review the impact over 7–14 days
  4. Configure named locations and trusted IPs to reduce false positives for legitimate high-risk-flagged sign-ins
  5. Enforce the policy
  6. Confirm that self-service password reset is enabled so blocked users can recover without helpdesk intervention
  7. Review the Risky sign-ins report regularly and remediate or dismiss events appropriately to keep the risk model accurate

Supporting documentation

Microsoft: Entra ID Protection risk policies

Microsoft: Conditional Access: Sign-in risk-based policy

Microsoft: Investigate risk in Entra ID Protection

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Block High-Risk Users — deploy alongside this policy; sign-in risk and user risk are complementary signals that should both have enforcement policies
  • Session Hijack via Unusual IP Change — the GSO finding that surfaces active session anomalies; this policy provides the automated enforcement layer
  • Excessive Authentication Failures — high volumes of failures are often a precursor to a high-risk sign-in event
  • CA MFA Bypass Paths — ensure risk-based policies don't have exclusions that allow high-risk sign-ins to bypass the block
  • Require Password Change for High-Risk Users — pair with this policy to ensure compromised credentials are rotated, not just blocked
TBD CTA