top of page
Search

12 Microsoft 365 Security Features and Best Practice Guidance – 6: Identity Protection and Risk-Based Sign-In

  • Writer: HybrIT Marketing
    HybrIT Marketing
  • May 19
  • 3 min read


What is it?

Microsoft Entra Identity Protection is a feature that helps organisations detect potential identity risks and automate the response to them. It uses machine learning and Microsoft’s global threat intelligence to identify risky users, risky sign-ins, and risk events, all of which can indicate potential account compromise.


Risk-Based Sign-In policies act upon these detections by enforcing controls such as multi-factor authentication (MFA), password resets, or blocking access entirely. The goal is to reduce the chance of unauthorised access without manual intervention.


There are three key types of risk that Identity Protection works with:


  • User risk – indicates the likelihood that a user’s identity has been compromised (e.g. leaked credentials)

  • Sign-in risk – identifies suspicious activity during sign-in attempts (e.g. atypical locations, unfamiliar devices, malware-linked IPs)

  • Risk detection events – signals derived from Microsoft’s security graph, which includes billions of data points from across the globe


These risks are scored as low, medium, or high, and you can configure policies to act differently depending on the severity.


Why does it matter?

With identity-based attacks now the most common initial vector in breaches, the ability to proactively block or challenge access when a user or session appears risky is critical.


Attackers often rely on:


  • Leaked or reused passwords

  • Social engineering and phishing

  • Token replay or man-in-the-middle attacks


Identity Protection strengthens your defences by:

  • Proactively detecting risks using Microsoft’s global intelligence

  • Automating response actions, like requiring MFA or blocking the login

  • Helping prevent account takeover before it results in a breach

  • Providing rich reports and alerts to security teams for investigation


It allows your security posture to evolve from reactive to intelligent and adaptive, reducing both the risk window and the admin burden.


What does Microsoft recommend?

Microsoft advises using Identity Protection in any organisation with Microsoft Entra ID P2 (previously Azure AD Premium P2), which is included in Microsoft 365 E5 or available as a standalone add-on.


Key recommendations:


  • Enable user risk policy to require password change or block access for high-risk users

  • Enable sign-in risk policy to prompt for MFA or deny access based on sign-in risk level

  • Exclude break-glass and emergency accounts from risk-based policies to prevent accidental lockouts

  • Use Identity Protection reports in the Entra admin portal to investigate trends and incidents

  • Combine with Conditional Access for granular access control based on user, location, device, or app context


Microsoft also suggests enabling these policies in "report-only" mode first to monitor potential impact before enforcing them.


Best Practice Tips

  • Confirm licensing: Identity Protection requires Microsoft Entra ID P2 (part of Microsoft 365 E5 or EMS E5)

  • Start with report-only mode: This helps assess user impact and false positives before enforcement

  • Enable User Risk Policy: Set to block or require password reset for medium/high risk users

  • Enable Sign-In Risk Policy: Set to require MFA or block sign-in for medium/high risk sign-ins

  • Regularly review Identity Protection reports: Access via Microsoft Entra admin centre > Protection > Identity Protection

  • Integrate with Conditional Access: Build layered policies using device compliance, app controls, or location data

  • Investigate and remediate risky users: Use the risk history and event detail to understand and resolve issues


If integrated with Microsoft Sentinel, you can also trigger automated responses or alerts when new identity risks are detected.


How can HybrIT Help?

Identity Protection is one of the most powerful yet underused capabilities in Microsoft 365’s security toolkit. It offers automation, intelligence and real-time protection,reducing your exposure to common attacks without needing manual oversight.


We recommend:


  • Enabling Identity Protection wherever Microsoft Entra ID P2 is licensed

  • Integrating it with existing Conditional Access policies for a layered defence

  • Reviewing reports weekly as part of your security operations

  • Working with our team to assess risk trends and build playbooks for automated response


For organisations without P2 licensing, we can help simulate risk-based scenarios using Conditional Access and Microsoft 365 audit data and advise on the cost benefit of a licence upgrade.


📞 Call us on 03330 156 702

Comments

hyblogo for social square.png

UK Head Office

Building 3, Royal Ordnance Depot

Weedon Bec

Northamptonshire

NN7 4PS

Something for you to consider:

01010111 01100101 00100000 01110111 01100001 01101110 01110100 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01110111 01101001 01110100 01101000 00100000 01111001 01101111 01110101 00100001

​0333 015 6701

hello@hybrit.co.uk

  • LinkedIn
  • Facebook
duck copy.png
Approved Everything ICT Supplier Logo
ISO 9001 Mark White Certification Number.png
ISO 27001 Certification Mark
hybrit hope smile.png
netzerowebsite.png

© Copyright 2025 HybrIT Services Ltd. All rights reserved. Registered in England and Wales No. 10479291

bottom of page