Risk Policies
Configure automated responses to user risk and sign-in risk detected by Microsoft Entra ID Protection.
User Risk Policy
Responds to the cumulative risk level of a user account:
| Risk Level | Action |
|---|---|
| High | Require password change |
| Medium | Require MFA |
| Low | No action (monitor) |
Sign-in Risk Policy
Responds to the risk level of individual sign-in attempts:
| Risk Level | Action |
|---|---|
| High | Block sign-in |
| Medium | Require MFA |
| Low | Allow with MFA |
Risk Detection Types
- Leaked credentials — Credentials found in breach databases
- Anonymous IP — Sign-in from anonymous proxy
- Atypical travel — Impossible travel between locations
- Malware-linked IP — Sign-in from known malware IP
- Unfamiliar sign-in — Unusual sign-in properties
API Reference
GET /api/security/risk-policies— Get risk policiesPUT /api/security/risk-policies— Update risk policies
Last updated on