Back to GSO Recommendations

Block High-Risk Users: Active Identity Compromise Protection

Why this risk matters

Entra ID Protection assigns a user risk level that accumulates over time based on the pattern of risk detections associated with that account — leaked credentials, suspicious sign-in patterns, confirmed compromises, and similar signals. A high user risk level means Microsoft's threat intelligence believes this identity has likely been compromised, even if no single sign-in has been definitively flagged.

A Conditional Access policy that blocks high-risk users prevents that account from signing in to any Microsoft 365 service until the risk is remediated — usually by a secure password reset and MFA re-confirmation. Without this policy, a high-risk user designation is informational: the attacker continues accessing the account while the risk event sits unreviewed in the portal.

User risk blocking is the complement to sign-in risk blocking. Together they create a complete automated response to Microsoft's threat intelligence signals, rather than relying on an analyst to manually review each event.

What happens if this is abused

  • Accounts flagged as high-risk by Microsoft's identity protection continue signing in normally, giving attackers ongoing access to email, files, Teams, and connected applications
  • Leaked credentials detected in third-party breach data are not acted on, leaving the compromised account accessible until someone manually reviews the risk report
  • High-risk user events accumulate without response, making the risk backlog increasingly difficult to triage
  • Attacker has time to establish persistence (inbox rules, app consents, delegation changes) before the account is reviewed and remediated
  • Security teams relying on manual triage cannot respond quickly enough when multiple accounts are simultaneously at risk

When this is expected or acceptable

For most organisations, blocking high-risk users should apply universally. Considerations:

  • Organisations with a very small security team may want to require secure password change rather than an outright block, to reduce helpdesk load — though this relies on the user completing the remediation promptly
  • Licensing note: Entra ID Protection user risk policies require Entra ID P2 or Microsoft 365 E5 licensing. Confirm licensing before enforcing.
  • False positives occur but are relatively rare at the high-risk threshold — review the current high-risk user list before enforcing to understand the expected impact

Checks to perform before taking action

  • Confirm Entra ID P2 or equivalent licensing is in place for all users in scope
  • In Entra ID Protection > Risky users, review the current list of high-risk users and understand the volume and nature of existing detections
  • Remediate or dismiss false positive high-risk user designations before enforcing the block policy, to avoid immediately locking out legitimate users
  • Confirm that self-service password reset (SSPR) is enabled so blocked users can recover without helpdesk intervention
  • Deploy in Report-only mode and review impact before enforcing
  • Communicate to users that suspicious activity on their account may result in a temporary sign-in block and explain the recovery process

Safe remediation steps

  1. Create a Conditional Access policy scoped to All users, targeting user risk level of High
  2. Set the grant control to Block access, or alternatively Require password change (which forces a secure credential reset before re-enabling access)
  3. Deploy in Report-only mode and review current high-risk users who would be immediately blocked
  4. Remediate genuine false positives in the Entra ID Protection portal before enforcing
  5. Enable self-service password reset to allow blocked users to recover without calling the helpdesk
  6. Enforce the policy
  7. Monitor the Risky users report and work through the queue of existing high-risk accounts, dismissing or remediating each one appropriately

Supporting documentation

Microsoft: Entra ID Protection risk policies

Microsoft: Conditional Access: User risk-based policy

Microsoft: Remediate risks and unblock users in Entra ID Protection

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Block High-Risk Sign-Ins — deploy alongside this policy; user risk and sign-in risk are complementary signals that should both have enforcement policies
  • Require Password Change for High-Risk Users — consider whether to block or require password change, depending on your helpdesk capacity and risk tolerance
  • Dormant Users — dormant accounts that accumulate risk detections without any sign-in activity should also be reviewed and disabled
  • Users with Risky MFA Settings — high-risk users with weak MFA are a particularly dangerous combination; address MFA gaps as part of the risk remediation
  • Session Hijack via Unusual IP Change — user risk events often coincide with session anomalies; check for both when remediating a high-risk user
TBD CTA