Last Updated on November 15, 2020 by Dishan M. Francis

In my previous blog post, I explained how to set up sign-in risk-based Azure conditional access policy. This article can be accessed using this link. As I explained in the article, sign-in risk is calculating based on user access behavior. If the user access behavior is flagged as risky, most probably the user account is also compromised. Most of the time, these compromised accounts are sold or shared on the dark web. Now with help of Microsoft, we can check if the corporate accounts are appearing in risky places. Microsoft uses various sources to identify risky user accounts. Such as,

  • Public paste sites
  • Dark web research groups
  • Law enforcement agencies

We can use Azure conditional access policies to verify if the sign-in request is coming from a known compromised account. User account risks are calculated offline, which means it can take 2- 24 hours to appear in reports.
Let’s go ahead and see how we can create a user risk-based Azure conditional access policy.

Configure Azure conditional access policy

1. Log in to Azure Portal ( as Global / Security / Conditional Access Administrator
2. Then go to Azure Active Directory

Azure Active Directory Service

3. On the Azure Active Directory page click on Security

Azure Active Directory Security Option

4. On the Security Home page, click on Conditional Access

Azure Active Directory Conditional Access Policies

5. Then click on + New Policy

Create new conditional access policy

6. This will open up a new policy window. Provide a name for the policy and then click on Users and Groups. Here I am going to apply the policy to Sales & Marketing team. To do that click on the Users and groups option and then select Sales & Marketing team

Conditional access policy users & groups selection

7. As the next step, click on cloud apps or actions. I am going to apply this policy to all cloud apps access. To do that, select All cloud apps from the list.

Conditional Access policy cloud app or action settings

8. Next, click on Conditions | User risk (Preview). To proceed with the configuration, set Yes under the Configure option. In this policy, I am going to target High and Medium level risks. For that, from the list choose relevant options and click on Done to complete the configuration.

Conditional access policy condition settings

9. Then under the Access control section, click on Grant. I like to block all the High and Medium risk sign in attempts. To do that I click on the Block Access option.

Conditional access policy access control settings

10. To complete the policy configuration, set Enable Policy to On and click Create

enable conditional access policy

conditional access policy status


To verify the policy, I am going to use conditional access what if tool.

conditional access what if tool

Then in the selection, I used the following values and execute what if tool.

  • User from sales team –
  • IP address –
  • Sign-in risk – None
  • User risk (Preview) – Medium

conditional access what if tool results

As expected, the Evaluation result verifies that the policy is working.
Hope now you have a better understanding of how to configure user risk-based azure conditional access policies. If you have any questions feel free to contact me at also follow me on twitter @rebeladm to get updates about new blog posts.