Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Rationale: Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication. Impact: When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.
To configure a Sign-In risk policy, use the following steps: Log in to https://admin.microsoft.com as a Global Administrator. Go to Admin centers and click on Azure Active Directory. Select Azure Active Directory then Security. Select Conditional Access. Create a new policy by selecting New policy. Set the following conditions within the policy. Under Users or workload identities choose All users Under Cloud apps or actions choose All cloud apps Under Conditions choose Sign-in risk then Yes in the right pane followed by the appropriate level. Under Access Controls select Grant then in the right pane click Grant access then select Require muilti-factor authentication. Click Select You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect. Click Create. NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc