Guidance Needed on Transitioning from Risk-Based Policies to Conditional Access in Microsoft Entra ID

Question

Guidance Needed on Transitioning from Risk-Based Policies to Conditional Access in Microsoft Entra ID

Khalid Hakim 0

Under Identity Protection, we currently rely on:

User Risk Policy
Sign-in Risk Policy

These policies have been instrumental in protecting our users and detecting suspicious activity. However, as you know, both are now read-only and will be deprecated in October 2026.

We also have a Conditional Access policy in place to block sign-ins from overseas IP addresses.

Microsoft’s guidance recommends migrating risk-based protections to Conditional Access policies. To ensure we maintain an equivalent (or stronger) level of security, could you please advise on:

Best practices for replacing User/Sign-in Risk Policies using Conditional Access (e.g., leveraging risk levels as signals in CA policies, enabling risk-based Conditional Access)?
Our current policy disables user-initiated password changes for security reasons. Is this still considered a best practice—or should we re-enable it (e.g., with MFA and SSPR safeguards)?
Preventing VPN abuse: Is there a way to detect or block users from bypassing geo-restrictions by using local IP addresses via VPNs (e.g., using named locations with trusted IPs, sign-in risk detection, device compliance + Conditional Access, or Microsoft Defender for Identity)?
Session hijacking protection: Does Microsoft Entra ID offer built-in protections (e.g., token replay detection, session binding, continuous access evaluation, or integration with Microsoft Defender for Cloud Apps)?

Any actionable recommendations or reference documentation would be greatly appreciated.

VEMULA SRISAI 3,090 Reputation points Microsoft External Staff Moderator

2025-11-20T07:44:53.2+00:00
Hello Khalid Hakim,Thank you for reaching out. I understand you want to transition from Identity Protection risk-based policies (User Risk and Sign-in Risk) to Conditional Access while maintaining strong security. Below is the recommended approach:

Replace Risk-Based Policies with Conditional Access

Configure Conditional Access policies using User Risk and Sign-in Risk conditions: (i) High user risk → Require password change with MFA (ensure password writeback is enabled). (ii) Medium/High sign-in risk → Require MFA.

Deploy in Report-only mode first, review impact in Insights & Reporting, then enforce.

Password Change Best Practice

Do not block user-initiated password changes.

Instead, enforce MFA and SSPR safeguards during reset. This aligns with Microsoft’s remediation flow for risky users.

Prevent VPN Abuse

Configure Named Locations for trusted IPs and countries.

Combine with device compliance (Intune) and sign-in risk detection.

Enable Continuous Access Evaluation (CAE) to revoke sessions when IP changes.

Session Hijacking Protection

Enable Token Protection (device-bound tokens) in Conditional Access.

Turn on CAE for real-time session revocation.

Integrate with Microsoft Defender for Cloud Apps for anomaly detection and session monitoring.

For your reference:

Risk-Based Conditional Access Policies

Conditional Access Overview

Token Protection
Khalid Hakim 0 Reputation points

2025-11-20T16:00:17.8933333+00:00

Hi VEMULA SRISAI, I know all that, the AI and all documenation alreay metioned, that, so you you did not add anything new, I hope you are not AI as well.

what I'm looking here, I want to talk to person from the technical team to make sure all my settings are correctly done. we have over 500 users, and any small mistake would effect them. how I can contact the technical team?
VEMULA SRISAI 3,090 Reputation points Microsoft External Staff Moderator

2025-11-26T17:02:24.8766667+00:00
I understand your concern about ensuring all settings are correct for 500 users—small mistakes can have a big impact.

To ensure all settings are correctly configured and prevent issues for 500 users:

Replace Risk-Based Policies with Conditional Access

Create two separate CA policies:

User Risk Policy

Condition: User risk = High

Grant: Require secure password change (with MFA)

Ensure Password Writeback is enabled for hybrid users.

Sign-In Risk Policy

Condition: Sign-in risk = Medium → Require MFA

Condition: Sign-in risk = High → Block access

Do not combine user risk and sign-in risk in one policy.

Enable MFA + SSPR Safeguards

Migrate to Authentication Methods Policy (deprecates legacy MFA/SSPR).

Enable combined registration for MFA and SSPR.

Configure Temporary Access Pass (TAP) for recovery scenarios.

Prevent VPN Geo-Bypass

Define Named Locations for trusted IP ranges and countries.

Add CA policy to block sign-ins from untrusted countries.

Require device compliance for sensitive apps via Intune.

Apply CA to VPN connectivity using EAP-TLS certificates.

Protect Against Session Hijacking

Enable Continuous Access Evaluation (CAE) for Exchange, SharePoint, Teams.

Turn on Token Protection (device-bound tokens).

Integrate Microsoft Defender for Cloud Apps for session controls.

Safe Rollout

Start policies in Report-only mode.

Use Insights & Impact Analysis Workbook to validate.

Pilot with IT group → then phased enforcement.

Keep two break-glass accounts excluded and monitored.

For detailed guidance:

https://learn.microsoft.com/en-in/entra/id-protection/concept-identity-protection-policies

https://learn.microsoft.com/en-in/entra/identity/conditional-access/overview
VEMULA SRISAI 3,090 Reputation points Microsoft External Staff Moderator

2025-12-02T11:59:24.98+00:00

Khalid Hakim Following up regarding my previous response: Replace risk-based policies with Conditional Access, enable MFA/SSPR/TAP, enforce CAE and token protection, and roll out in report-only mode before enforcement. Let me know if you need anything further.
Khalid Hakim 0 Reputation points

2025-12-05T18:30:18.1333333+00:00

also I metioned, only admin is going to change the users password, letting users to change their own password would lead to security issues. I have been waiting for the technical team to contact me, but seems no one is here. we are big size compnay and we need a real support not suggestion and guidelines that may effect us.

1 answer

Your answer

VEMULA SRISAI 3,090 Reputation points Microsoft External Staff Moderator

2025-11-20T07:44:53.2+00:00

Hello Khalid Hakim,Thank you for reaching out. I understand you want to transition from Identity Protection risk-based policies (User Risk and Sign-in Risk) to Conditional Access while maintaining strong security. Below is the recommended approach:

Replace Risk-Based Policies with Conditional Access

Configure Conditional Access policies using User Risk and Sign-in Risk conditions: (i) High user risk → Require password change with MFA (ensure password writeback is enabled). (ii) Medium/High sign-in risk → Require MFA.

Deploy in Report-only mode first, review impact in Insights & Reporting, then enforce.

Password Change Best Practice

Do not block user-initiated password changes.

Instead, enforce MFA and SSPR safeguards during reset. This aligns with Microsoft’s remediation flow for risky users.

Prevent VPN Abuse

Configure Named Locations for trusted IPs and countries.

Combine with device compliance (Intune) and sign-in risk detection.

Enable Continuous Access Evaluation (CAE) to revoke sessions when IP changes.

Session Hijacking Protection

Enable Token Protection (device-bound tokens) in Conditional Access.

Turn on CAE for real-time session revocation.

Integrate with Microsoft Defender for Cloud Apps for anomaly detection and session monitoring.

For your reference:

Risk-Based Conditional Access Policies

Conditional Access Overview

Token Protection
Khalid Hakim 0 Reputation points

2025-11-20T16:00:17.8933333+00:00

Hi VEMULA SRISAI, I know all that, the AI and all documenation alreay metioned, that, so you you did not add anything new, I hope you are not AI as well.

what I'm looking here, I want to talk to person from the technical team to make sure all my settings are correctly done. we have over 500 users, and any small mistake would effect them. how I can contact the technical team?
VEMULA SRISAI 3,090 Reputation points Microsoft External Staff Moderator

2025-11-26T17:02:24.8766667+00:00

I understand your concern about ensuring all settings are correct for 500 users—small mistakes can have a big impact.

To ensure all settings are correctly configured and prevent issues for 500 users:

Replace Risk-Based Policies with Conditional Access

Create two separate CA policies:

User Risk Policy

Condition: User risk = High

Grant: Require secure password change (with MFA)

Ensure Password Writeback is enabled for hybrid users.

Sign-In Risk Policy

Condition: Sign-in risk = Medium → Require MFA

Condition: Sign-in risk = High → Block access

Do not combine user risk and sign-in risk in one policy.

Enable MFA + SSPR Safeguards

Migrate to Authentication Methods Policy (deprecates legacy MFA/SSPR).

Enable combined registration for MFA and SSPR.

Configure Temporary Access Pass (TAP) for recovery scenarios.

Prevent VPN Geo-Bypass

Define Named Locations for trusted IP ranges and countries.

Add CA policy to block sign-ins from untrusted countries.

Require device compliance for sensitive apps via Intune.

Apply CA to VPN connectivity using EAP-TLS certificates.

Protect Against Session Hijacking

Enable Continuous Access Evaluation (CAE) for Exchange, SharePoint, Teams.

Turn on Token Protection (device-bound tokens).

Integrate Microsoft Defender for Cloud Apps for session controls.

Safe Rollout

Start policies in Report-only mode.

Use Insights & Impact Analysis Workbook to validate.

Pilot with IT group → then phased enforcement.

Keep two break-glass accounts excluded and monitored.

For detailed guidance:

https://learn.microsoft.com/en-in/entra/id-protection/concept-identity-protection-policies

https://learn.microsoft.com/en-in/entra/identity/conditional-access/overview
VEMULA SRISAI 3,090 Reputation points Microsoft External Staff Moderator

2025-12-02T11:59:24.98+00:00

Khalid Hakim Following up regarding my previous response: Replace risk-based policies with Conditional Access, enable MFA/SSPR/TAP, enforce CAE and token protection, and roll out in report-only mode before enforcement. Let me know if you need anything further.
Khalid Hakim 0 Reputation points

2025-12-05T18:30:18.1333333+00:00

also I metioned, only admin is going to change the users password, letting users to change their own password would lead to security issues. I have been waiting for the technical team to contact me, but seems no one is here. we are big size compnay and we need a real support not suggestion and guidelines that may effect us.

Answer 1

To transition from User Risk and Sign-in Risk Policies in Microsoft Entra ID to Conditional Access (CA) policies while maintaining or enhancing security, consider the following best practices and recommendations:

Replacing User/Sign-in Risk Policies:
- Create equivalent User Risk and Sign-in Risk policies in Conditional Access. Utilize risk levels as signals to enforce actions such as requiring multifactor authentication (MFA) or blocking access for high-risk sign-ins. This can enhance your security posture by allowing you to tailor responses based on the assessed risk level.
- Enable risk-based Conditional Access policies to ensure that users are prompted for additional verification when a sign-in risk is detected.
User-Initiated Password Changes:
- While disabling user-initiated password changes can enhance security, consider re-enabling this feature with appropriate safeguards like MFA and Self-Service Password Reset (SSPR). This allows users to remediate risks themselves while maintaining security controls.
Preventing VPN Abuse:
- To detect or block users bypassing geo-restrictions via VPNs, leverage named locations in Conditional Access to define trusted IPs. Implement sign-in risk detection and device compliance checks. Additionally, consider integrating with Microsoft Defender for Identity to monitor suspicious activities that may indicate VPN abuse.
Session Hijacking Protection:
- Microsoft Entra ID provides built-in protections against session hijacking, including token replay detection and continuous access evaluation. You can also utilize session binding features to ensure that sessions remain secure and are tied to specific devices or locations.

For detailed guidance on configuring these policies, refer to the Microsoft documentation on Conditional Access and identity protection.

References:

Khalid Hakim 0 Reputation points

2025-11-20T06:12:33.42+00:00

is there a real agent who can help here. in the past we used to submit tickets and get help. now we are posting here. we have paid developer plan, and we expect more help other than AI generated answer and hit it to the dark. this is urgent request.

Share via

Guidance Needed on Transitioning from Risk-Based Policies to Conditional Access in Microsoft Entra ID

1 answer

Your answer