This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 31%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
I am trying to create a conditional access policy to require multifactor authentication for risky sign-in attempts.
I am following the instructions on this article but there is no section to define user or sign-in risk.
How can I create a policy to assist in requiring the action be followed?
How can I get an alert of a risky sign-in attempt?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
Thanks for Sandeep G-MSFT to share some helpful information. It will assist others with similar questions in finding some idea.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
As I understand you want to configure MFA for users based on risky sign-in attempts to Azure resources.
In Azure there is a feature called as Identity protection. Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation.
In Identity protection, User and Sign-in risks are already defined and they are differentiated in multiple categories.
You can follow below article to know more about the risks definitions,
Now there are 2 types of detections,
ID Protection utilizes techniques to increase the precision of user and sign-in risk detections by calculating some risks in real-time or offline after authentication. Detecting risk in real-time at sign-in gives the advantage of identifying risk early so that customers can quickly investigate the potential compromise. On detections that calculate risk offline, they can provide more insight as to how the threat actor gained access to the account and the impact on the legitimate user. Some detections can be triggered both offline and during sign-in, which increases confidence in being precise on the compromise.
Detections triggered in real-time take 5-10 minutes to surface details in the reports. Offline detections take up to 48 hours to surface in the reports, as it takes time to evaluate properties of the potential risk.
Yes, you can configure triggering alert and also sending notifications, when there is user risk or sign-in detected.
To configure risk policies, you can refer below article,
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
I believe what some of my problems are is the license I have on my tenant.
If I recall from reading some of the support articles, I believe this requires a Microsoft Entra P2 license.
Can this be confirmed?
Yes, Microsoft Entra ID P2 license is required for Entra ID protection.
Below is the license requirement for Entra ID protection configuration based on different features,
You can also refer to below article,
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.