Identifying, investigating, and remediating -, does this sound like a familiar task administrators? Another question: how long does it take you to resolve risky sign-in and other risky user behavior (i.e., Leaked credentials, anonymous IP sign-ins, impossible travel, infected devices, suspicious activity, and unfamiliar locations)?

If you are not properly protected, your organization may never even know these things are occurring.

Implementing Azure Risk Policies through Azure Identity Protection can help you gain important insights into discovering compromised identities and automate actions to immediately resolve the potential attack.

Microsoft currently detects six different types of risk:

  • Users with leaked credentials
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activity
  • Sign-ins from unfamiliar locations

If a risk is detected when utilizing Azure Risk Policies during Azure identity protection, those risks are captured and stored in a record named risk detection.  Depending on which Azure AD Premium license you have assigned will determine the number of features and details you will receive from the Risk Report that accompanies the policies.  Make sure you have the correct license to obtain the features and information that best protects your organization.

Azure AD Premium P2 edition: The most detailed information about all underlying detections

Azure AD Premium P1 edition:  Advanced detections (such as unfamiliar sign-in properties) are not covered by your license, and will appear under the name Sign-in with additional risk detected. Additionally, the risk level and risk detail fields are hidden.

To create your Azure Risk Policies, start by logging into your Azure tenant and navigate to your Azure Active Directory, look for Overview in the left-hand blade, and then either look for Identity Protection, or similarly, it may already have a link to create the risk polices (see screenshots).

azure identity protection

azure identity protection

Next, you will need to configure the Assignment fields. What users will this policy apply to?  You can choose individuals or groups if you want the option to limit the rollout.   You also have the feature to exclude users from the policy in case you need an emergency or break-glass account free of the policy. What user risk condition would you like to apply to your organization? Low and above, medium and above, or high? Microsoft recommends this option set to High.

azure identity protection

The next section of the policy creation focuses on the controls you want Microsoft to enforce, regarding allowing the user to log in or even require a password change. Microsoft recommends allowing access and requiring a password identity protection

MessageOps can help with Azure planning, design, migration, and training services. Learn more today!


To complete implementation and configure the policy to enabled flip the Enforce Policy to on and click Save.

Next, you will want to implement the second Azure Risk Policy, the Sign-In Risk Policy.  Click configure sign-in risk policy from the Overview page.

We will mirror the User Risk Policies Assignment section but change the Conditions field to medium and above.  Microsoft recommends this option.

Once you have reached the Controls section of the policy, we will set the user sign-in risk to allow access and require multi-factor authentication. Microsoft recommends requiring sign-in risk to allow and require multi-factor authentication.

azure identity protection

Lastly, switch Enforce Policy to on and click save.

azure identity protection


Was this article helpful?

Ready to get started?

Get in touch to unlock the full potential of your Microsoft investment.

Get started