Isn't in wrong to block access in Sign in risk Conditional access policy and require MFA?

Question

Isn't in wrong to block access in Sign in risk Conditional access policy and require MFA?

Amrit Kaur 0

https://learn.microsoft.com/en-us/training/modules/manage-azure-active-directory-identity-protection/4-exercise-enable-sign-risk-policy
Isn't in wrong to block access in Sign in risk Conditional access policy and require MFA?

This question is related to the following Learning Module

2 answers

Your answer

Answer 1

Divyesh Govaerdhanan 6,400

Hello,

Welcome to Microsoft Q&A,

In a Sign-in Risk Conditional Access Policy, blocking access outright might not always be the best approach. Instead, requiring Multi-Factor Authentication (MFA) is often the recommended approach.

Block Access might lead to a False positive (as it's AI-based signals), and it does not give the better user experience to verify their identity whereas MFA provides the user the ability to verify their identity.

So, blocking access in a Sign-in Risk policy is not necessarily "wrong," but requiring MFA is a better and more flexible security measure in most cases.

Please Upvote and accept the answer if it helps!

Kiran P 8,225 Reputation points Microsoft External Staff Volunteer Moderator

2025-02-08T03:42:50.8866667+00:00

Hi Amrit Kaur,

Just checking in to see if you had a chance to see previous answer provided by Divyesh Govaerdhanan. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.
Kiran P 8,225 Reputation points Microsoft External Staff Volunteer Moderator

2025-02-09T05:16:45.4866667+00:00

Hi Amrit Kaur,

Just checking in to see if you had a chance to see previous answer provided by Divyesh Govaerdhanan. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.
Amrit Kaur 0 Reputation points

2025-02-11T00:40:15.38+00:00

Hi,

Thanks for your response. I completely agree that requiring MFA is generally a better approach than outright blocking access.

However, my concern was actually about a typo in the learning document. The module instructs to "Block access" and then "Require multifactor authentication", but the "Require MFA" option is only available under "Grant access", not "Block access."

So, my point was just to highlight this inconsistency in the documentation to avoid confusion for learners. Hope that clarifies!

Thanks again for your time.
Divyesh Govaerdhanan 6,400 Reputation points

2025-02-11T01:17:49.02+00:00

Hi,

I got it, Thank you for rightly pointing out the documentation error.
Kiran P 8,225 Reputation points Microsoft External Staff Volunteer Moderator

2025-02-11T10:08:41.1766667+00:00

Hi Amrit Kaur,

"Thank you for sharing your feedback. We acknowledge that recent updates to the Azure portal have brought changes to the features and options, and the previous settings that were under 'Block Access' have been reorganized. We greatly appreciate your thoughtful input, and we will ensure that your feedback is forwarded to our backend team for consideration in updating the documentation.

Your engagement and patience within the Microsoft Q&A forum are highly valued. We encourage you to continue completing your learning modules, as they will guide you toward achieving your goals and enhancing your expertise. We are committed to supporting your journey and appreciate your dedication to mastering the platform."
Kiran P 8,225 Reputation points Microsoft External Staff Volunteer Moderator

2025-02-20T07:08:37.06+00:00

Hi Amrit Kaur,

Our team is working on this issue, and we will update you once it is resolved.

Answer 2

Kiran P 8,225 Microsoft External Staff Volunteer Moderator

Hi Amrit Kaur,

We reached out to the author of the module, and they confirmed that this is not an error, but rather a confusing user interface design. To open the Access menu, you need to click on the words "BLOCK ACCESS." From there, select "Grant Access," as the user has mentioned. I am adjusting the lab step to make it clearer, but the text is correct as written.

Note: The module document will be updated soon.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

Thank you.

Kiran P 8,225 Reputation points Microsoft External Staff Volunteer Moderator

2025-02-26T04:31:21.7366667+00:00

Hi Amrit Kaur,

Just checking in to see if you had a chance to see my previous answer. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

Thank you.
Kiran P 8,225 Reputation points Microsoft External Staff Volunteer Moderator

2025-02-27T03:51:00.78+00:00

Hi Amrit Kaur,

Just checking in to see if you had a chance to see my previous answer. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

Thank you.

Share via

Isn't in wrong to block access in Sign in risk Conditional access policy and require MFA?

2 answers

Your answer