Conditional Access polices

Question

Conditional Access polices

Glenn Maxwell 13,721

Hi All,

I am planning to enable the following Microsoft Entra Conditional Access policies in Report-only mode for Sign-in Risk and User Risk, and would like to validate the configuration before deployment. I am using Exchange Hybrid environment, All my user accounts are created in Exchange On-Premises and migrated to Exchange Online. All my users are assigned Microsoft 365 E5 licenses. I am using Microsoft Entra ID P2 licenses. Okta is used for SSO and MFA. The objective is to enable these policies in Report-only mode to review the sign-in logs and assess the potential impact before enforcing them in production.

Policy1: 
Assignment: All users
Target resource: All resources(formerly 'All cloud apps')
Condition: sign-in risk
Configure:Yes
Select the sign-in risk level this policy will apply to : High
Grant: Control access enforcement to block or grant access:Block
For multiple controls: Require all the selected controls
Session: i am not sure what options i need to select i am looking from M365 perspective.


Policy2: 
Assignment: All users
Target resource: All resources(formerly 'All cloud apps')
Condition: user risk
Configure:Yes
Select the user risk levels needed for policy to be enforced : High
Grant: Control access enforcement to block or grant access:Block
For multiple controls: Require all the selected controls
Session: i am not sure what options i need to select i am looking from M365 perspective.

For these policies, are any Session controls recommended? I am not sure whether any session settings are required for these scenarios, so please guide me. Also, please validate whether the other policy settings are correct.

Will these policies still evaluate sign-in risk and user risk correctly when authentication is federated through Okta?

VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-04-27T14:56:50.7833333+00:00
Hello Glenn Maxwell,

Thanks for sharing the details. Your Conditional Access configurations for Sign-in risk = High and User risk = High, configured in Report-only mode, are correct and aligned with Microsoft recommended security practices for Entra ID P2.

Both policies are appropriate for validating impact before enforcement and are safe to test in Report-only mode.

Session controls – Recommendation

For both Sign-in Risk and User Risk policies:

No Session controls are required

Leave Session = Not configured

Reason: Risk-based policies are evaluated at sign-in time, and since the action is Block access, session controls (sign-in frequency, persistent browser session, CAE, etc.) do not add value for these scenarios.

Okta federation – Important clarification

Yes, these policies will still evaluate Sign-in Risk and User Risk correctly, even when authentication is federated through Okta, because Microsoft Entra performs its own risk analysis using signals such as IP reputation, anonymous access, impossible travel, and token anomalies.

However:

Entra cannot trigger MFA when authentication is handled by Okta

Therefore, using Block access for high-risk conditions is the correct and supported approach in federated environments

Your current configuration already follows this best practice.

Next steps

Review Sign-in Logs → Conditional Access → Report-only results

Identify users that would be blocked

Ensure break-glass accounts are excluded before enforcing the policies

Your setup is valid, and no changes are required before proceeding with report-only testing.
Glenn Maxwell 13,721 Reputation points

2026-04-27T19:55:10.13+00:00

Under Session, I need to select at least one option to proceed, please guide me which option to select.
VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-04-30T13:31:32.4466667+00:00

Glenn Maxwell could you please check my previous response and let me know if you need any additional information.

Answer accepted by question author

1 additional answer

Your answer

VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-04-27T14:56:50.7833333+00:00

Hello Glenn Maxwell,

Thanks for sharing the details. Your Conditional Access configurations for Sign-in risk = High and User risk = High, configured in Report-only mode, are correct and aligned with Microsoft recommended security practices for Entra ID P2.

Both policies are appropriate for validating impact before enforcement and are safe to test in Report-only mode.

Session controls – Recommendation

For both Sign-in Risk and User Risk policies:

No Session controls are required

Leave Session = Not configured

Reason: Risk-based policies are evaluated at sign-in time, and since the action is Block access, session controls (sign-in frequency, persistent browser session, CAE, etc.) do not add value for these scenarios.

Okta federation – Important clarification

Yes, these policies will still evaluate Sign-in Risk and User Risk correctly, even when authentication is federated through Okta, because Microsoft Entra performs its own risk analysis using signals such as IP reputation, anonymous access, impossible travel, and token anomalies.

However:

Entra cannot trigger MFA when authentication is handled by Okta

Therefore, using Block access for high-risk conditions is the correct and supported approach in federated environments

Your current configuration already follows this best practice.

Next steps

Review Sign-in Logs → Conditional Access → Report-only results

Identify users that would be blocked

Ensure break-glass accounts are excluded before enforcing the policies

Your setup is valid, and no changes are required before proceeding with report-only testing.
Glenn Maxwell 13,721 Reputation points

2026-04-27T19:55:10.13+00:00

Under Session, I need to select at least one option to proceed, please guide me which option to select.
VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-04-30T13:31:32.4466667+00:00

Glenn Maxwell could you please check my previous response and let me know if you need any additional information.

Answer 1

VEMULA SRISAI 13,025 Microsoft External Staff Moderator

Glenn Maxwell For Sign‑in risk and User risk policies where the Grant control is set to Block access, no Session control should be selected.

Session controls are optional and apply only when access is granted. In a Block policy, access is denied before any session is created, so session controls are not applicable.

If the portal appears to force a selection, that usually happens when:

The Session section is expanded, or
The policy is mistakenly being evaluated as a Grant policy What you should do
Ensure Grant = Block access is selected
Do not configure anything under Session
Collapse the Session section and save the policy

Do not select any Session option just to proceed (such as Sign‑in frequency or Persistent browser session). That would be an incorrect configuration for risk‑based block policies and is not recommended.

This behavior is expected and consistent with Microsoft’s design for Identity Protection Conditional Access policies.

Glenn Maxwell 13,721 Reputation points

2026-05-02T07:21:15.7766667+00:00

VEMULA SRISAI

i am unable to mark as answer
VEMULA SRISAI 13,025 Reputation points Microsoft External Staff Moderator

2026-05-04T05:22:28.0166667+00:00

Glenn Maxwell Could you please try again now? You should be able to accept the answer at this point.

kindly take a moment to click on and click on Yes for was this answer helpful.

Answer 2

For Microsoft 365 scenarios, Microsoft’s recommended patterns for risk-based policies differ from the configurations described.

Session controls

For risk-based Conditional Access policies (sign-in risk and user risk), Microsoft guidance in the provided context applies these session controls:

Sign-in risk policy for MFA:
- Under Session → Sign-in frequency → Every time.
- This forces re-evaluation and MFA on each risky sign-in.
- Steps are shown in the “Enable sign-in risk policy for MFA” guidance.
User risk policy for password change:
- Under Session, Sign-in frequency – Every time is automatically applied and is mandatory.

So, for M365 access when using risk-based policies:

If the policy is granting access with MFA (or risk remediation), configure Sign-in frequency = Every time.
If the policy is blocking access, additional session controls are not required; the block itself is sufficient. Session controls mainly affect how often tokens are re-evaluated, not the block decision.

Recommended grant controls vs. current configuration

The current policies are configured to Block on High risk. The Microsoft guidance in the context recommends:

Sign-in risk policy:
- Assignments: All users (excluding break-glass accounts), All resources.
- Condition: Sign-in risk = High and Medium.
- Grant: Grant access + Require authentication strength with Multifactor authentication.
- Session: Sign-in frequency = Every time.
- Start in Report-only, then move to On after review.
User risk policy:
- Assignments: All users (excluding break-glass accounts), All resources.
- Condition: User risk = High.
- Grant: Grant access + Require risk remediation (this enforces password change; authentication strength is automatically selected).
- Session: Sign-in frequency – Every time is automatically applied and mandatory.
- Start in Report-only, then move to On after review.

Compared to this guidance:

Using Block for High sign-in risk and High user risk is more aggressive than the documented recommendations, which focus on MFA for sign-in risk and password change for user risk.
For most M365 scenarios, the recommended pattern is:
- Sign-in risk → require MFA every time for High/Medium.
- User risk → require password change (risk remediation) for High.

Validation of other policy settings

Based on the context:

Assignments:
- All users is correct, but emergency access/break-glass accounts should be excluded.
Target resources:
- All resources (formerly ‘All cloud apps’) is correct for tenant-wide protection.
Conditions:
- Sign-in risk policy: Configure = Yes, risk levels High and Medium are recommended.
- User risk policy: Configure = Yes, user risk level High is recommended.
Enable policy:
- Start with Report-only and later switch to On after reviewing impact.

These align with the documented steps, except for the choice of Block vs. Grant access with MFA / risk remediation.

Evaluation of risk with federated authentication via Okta

The context describes how to configure risk-based Conditional Access policies but does not provide details about risk evaluation behavior when authentication is federated through Okta. There is no explicit statement in the provided material confirming or denying correct sign-in risk or user risk evaluation in a federated/Okta SSO scenario.

Because this behavior is not covered in the context, no statement can be made here about whether sign-in risk and user risk will be evaluated correctly when using Okta federation.

References:

Share via

Conditional Access polices

1 additional answer

Your answer