As organizations shift to passwordless authentication to improve security and user experience, it's essential to adapt Conditional Access (CA) policies for risk-based access. While passwordless methods reduce credential compromise, identity threats still exist. This blog extends my previous guide on Conditional Access, focusing on managing User Risk and Sign-in Risk for passwordless users with Microsoft Entra ID Protection.
Understanding Risk Detection for Passwordless Users
- User Risk: Indicates that a user's identity may be compromised.
- Sign-in Risk: Flags suspicious or anomalous sign-in behavior.
These risks are still relevant in passwordless scenarios and must be managed through Conditional Access.
Conditional Access Risk-Based Policy Types
- User Risk Policy: Enforces secure remediation when a user is deemed risky.
- Sign-in Risk Policy: Triggers authentication verification during suspicious sign-in attempts.
These policies allow self-remediation where possible, balancing usability and security.
Recommended Configuration for Passwordless Accounts
User Risk Policy
- Users: Include group of passwordless users
- Exclude: Break-glass/emergency accounts
- Target resources: Choose All Resources
- User risk: Select High (This guidance is based on Microsoft recommendations and might be different for each organization)
- Access Control: Block access (at High risk)
Keep the policy in Report-only mode to evaluate its impact before enforcing it.
- Remediation: Administrator intervention is required, as passwordless users cannot perform self-service password reset—unless access is blocked or reset is only allowed for Low and Medium risk levels.
Tip: Create dual policies temporarily
✔ One for users with passwords (allow secure password change)
✔ One for passwordless users (block Access and Let Admin investigate and Clear the Risk)
Sign-in Risk Policy
- Users: Include passwordless group
- Exclude: Break-glass/emergency accounts
- Target resources: Choose All Resources
- Conditions: Sign-in risk level = Medium and High
- Grant Access: Require authentication strength → Passwordless MFA or Phishing-resistant MFA
- Session Control: Sign-in frequency = Every time
Investigating and Remediating Risk
Before enforcing policies, review and clean up active risks. Use the Entra ID Protection reports under: Microsoft Entra Admin Center → Protection → Identity ProtectionReports include:
- Risky Users
- Risky Sign-ins
- Risk Detections
When investigating, you can:
- Filter by risk level
- Confirm or dismiss risk
- Open individual detections to review event details
Best Practices and Considerations
- Exclude break-glass and service accounts from risk policies
- Maintain separate policies for User Risk and Sign-in Risk :- each type signals different threats and requires different remediation actions.
- During the transition to passwordless authentication, apply dual policies to support both password-based and passwordless users.
- Carefully plan and configure risk levels based on your organization's business needs and security posture.
- Educate users and ensure MFA and passwordless registration is complete
📝 Conclusion
Passwordless authentication strengthens security, but threats like token theft and session hijacking still require vigilance. Microsoft Entra ID Protection empowers organizations to monitor, investigate, and mitigate risk using risk-based Conditional Access policies.By tailoring risk policies for passwordless accounts, you ensure your modern identity strategy remains secure and adaptive. Don’t forget to pair this with continuous monitoring and proper emergency account management.
📌 Want more Entra ID insights? Check out my previous blog on Mastering Conditional Access Policies.
0 Comments