1.1.14 Enable Azure AD Identity Protection user risk policies

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.


With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.


Upon policy activation, account access will be either blocked or the user will be required to use MFA and change their password. Users without registered MFA will be denied access, necessitating an admin to recover the account. To avoid inconvenience, it is advised to configure the MFA registration policy for all users under the User Risk policy.

Additionally, users identified in the Risky Users section will be affected by this policy. To gain a better understanding of the impact to the organization's environment, the list of Risky Users should be reviewed before enforcing the policy.


To configure a User risk policy, use the following steps:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Azure Active Directory > Protect & secure select Conditional Access.

On the Conditional Access page, create a new policy by selecting New policy.

Set the following conditions within the policy:

Under Users or workload identities choose All users

Under Cloud apps or actions choose All cloud apps

Under Conditions choose User risk then Yes in the right pane followed by the appropriate level.

Under Access Controls select Grant then in the right pane click Grant access then select Require password change.

Click Select.

You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.

Click Create.

NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc

See Also