| title | Risk policies - Microsoft Entra ID Protection |
|---|---|
| description | Enable and configure risk policies in Microsoft Entra ID Protection. |
| ms.topic | how-to |
| ms.date | 10/30/2025 |
| ms.reviewer | cokoopma |
There are two types of risk policies in Microsoft Entra Conditional Access you can set up. You can use these policies to automate the response to risks allowing users to self-remediate when risk is detected:
Warning
Don't combine sign-in risk and user risk conditions in the same Conditional Access policy. Create separate policies for each risk condition.
- The Microsoft Entra ID P2 or Microsoft Entra Suite license is required for full access to Microsoft Entra ID Protection features.
- For a detailed list of capabilities for each license tier, see What is Microsoft Entra ID Protection.
- The Conditional Access Administrator role is the least privileged role required to create or edit Conditional Access policies.
Organizations must decide the level of risk they want to require access control on, while balancing security posture and user productivity.
Choosing to apply access control on a High risk level reduces the number of times a policy is triggered and minimizes friction for users. However, it excludes Low and Medium risks from the policy, which might not block an attacker from exploiting a compromised identity. Selecting Medium and/or Low risk levels usually introduces more user interrupts.
Configured trusted network locations are used by Microsoft Entra ID Protection in some risk detections to reduce false positives.
Organizations can choose to block access when risk is detected. Blocking sometimes stops legitimate users from doing what they need to. A better solution is to configure user and sign-in risk-based Conditional Access policies that allow users to self-remediate.
Warning
Users must register for Microsoft Entra multifactor authentication before they face a situation requiring remediation. For hybrid users that are synced from on-premises, password writeback must be enabled. Users not registered are blocked and require administrator intervention.
Password change (I know my password and want to change it to something new) outside of the risky user policy remediation flow doesn't meet the requirement for secure password change.
Microsoft recommends the following risk policy configurations to protect your organization:
Organizations should select Require risk remediation when user risk level is High. For passwordless users, Microsoft Entra revokes the user's sessions so they must reauthenticate. For users with passwords, they're prompted to complete a secure password change after a successful Microsoft Entra multifactor authentication.
When Require risk remediation is selected, two settings are automatically applied:
- Require authentication strength is automatically selected as a grant control.
- Sign-in frequency - Every time is automatically applied as a session control.
Require Microsoft Entra multifactor authentication when sign-in risk level is Medium or High. This configuration allows users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.
We also recommend including the sign-in frequency session control to require reauthentication for risky sign-ins. A successful "strong authentication" usually via multifactor authentication or passwordless authentication, is the only way to self-remediate sign-in risk, regardless of the risk level.
Organizations can choose to deploy risk-based policies in Conditional Access using the following steps or use Conditional Access templates.
Before organizations enable these policies, they should take action to investigate and remediate any active risks.
[!INCLUDE active-directory-policy-exclusions]
[!INCLUDE conditional-access-policy-user-risk]
[!INCLUDE conditional-access-policy-sign-in-risk]
If you have legacy risk policies enabled in Microsoft Entra ID Protection, you should plan to migrate them to Conditional Access:
Warning
The legacy risk policies configured in Microsoft Entra ID Protection will be retired on October 1, 2026.
- Create equivalent user risk-based and sign-in risk-based policies in Conditional Access in report-only mode. You can create a policy with the previous steps or using Conditional Access templates based on Microsoft's recommendations and your organizational requirements.
- After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
- Disable the old risk policies in ID Protection.
- Browse to ID Protection > Dashboard > Select the User risk or Sign-in risk policy.
- Set Enforce policy to Disabled.
- Create other risk policies if needed in Conditional Access.