Microsoft Entra ID Protection – Risk-Based Conditional Access for Small Businesses in Berlin

Standard Conditional Access policies make binary decisions: does the user have MFA, is the device compliant, is the network trusted. Microsoft Entra ID Protection adds a risk dimension to this model. It continuously analyzes sign-in signals across Microsoft’s global threat intelligence network and assigns a real-time risk score to every authentication event. Your Conditional Access policies can then respond dynamically — requiring step-up verification for a risky sign-in, or automatically blocking access when the risk score crosses a threshold. For Berlin SMBs on Microsoft 365 Business Premium or Entra ID P2, this is the layer that catches compromised credentials before the attacker establishes a persistent foothold.

What Entra ID Protection Detects

ID Protection generates two types of risk signals:

Sign-In Risk

Evaluated per authentication attempt. Risk detections include:

Detection	Description	Risk Level
Atypical travel	Sign-in from a location physically impossible given prior sign-in location and time	Medium
Anonymous IP address	Sign-in from known Tor exit node or VPN anonymizer	Medium
Malware-linked IP address	IP associated with botnet C2 infrastructure	High
Unfamiliar sign-in properties	Sign-in properties (location, ASN, device) deviate significantly from user baseline	Medium
Admin confirmed user compromised	An administrator has manually confirmed the account is compromised	High
Token issuer anomaly	Token refresh behavior inconsistent with normal session lifecycle	High

User Risk

Accumulated over time for the user account. Elevated by:

• Leaked credentials: Microsoft’s threat intelligence monitors dark web credential dumps and paste sites. When a username/password pair from your tenant appears in a breach dump, the account’s user risk is set to High
• Azure AD threat intelligence: Patterns matching known attack techniques targeting the account
• Unusual user activity: Behavioral patterns inconsistent with the user’s historical baseline

Risk-Based Conditional Access Policies

ID Protection integrates directly with Conditional Access. Two foundational policies every tenant should configure:

Policy 1: Sign-In Risk Policy

Parameter	Setting
Users	All users (exclude emergency access accounts)
Sign-in risk level	Medium and above
Grant control	Require MFA
Session control	Sign-in frequency: every time (disables persistent sessions for risky sign-ins)

Policy 2: User Risk Policy

Parameter	Setting
Users	All users (exclude emergency access accounts)
User risk level	High
Grant control	Require password change (combined with MFA to authenticate before the reset)
Effect	Forces the user to create a new password, invalidating any stolen credentials

The user risk policy is particularly important for leaked credential detection. When a password appears in a breach dump, Microsoft sets the user risk to High within hours of discovery. The user risk policy then forces a password change on next sign-in, automatically remediating the compromised credential without requiring admin intervention.

MFA Registration Policy

A prerequisite for risk-based CA to work is that users have MFA registered. If a risky sign-in triggers an MFA requirement but the user has never registered an MFA method, they are blocked. The ID Protection MFA registration policy (Entra ID → Security → Identity Protection → MFA registration policy) enforces MFA registration for all users — it’s separate from the standard CA-based MFA requirement and specifically targets the registration step.

Set to: All users, enforce policy. This ensures every user registers at least one MFA method before a risk event forces it at an inconvenient time.

Investigating Risk Events

Navigation: Entra ID → Security → Identity Protection

Three key report views:

• Risky users: All users currently elevated to Medium or High risk. Actions available: Confirm compromised (escalates to High, triggers immediate remediation) or Dismiss user risk (clears the risk if determined to be a false positive)
• Risky sign-ins: Individual authentication events with risk detections. Filter by date range, risk level, detection type
• Risk detections: Raw detection events with full technical detail — IP address, detection timing, associated user, detection type

When you see a High-risk user in the report, the investigation workflow is: review the sign-in details, check the detection type (leaked credentials is almost always a true positive), contact the user to confirm whether the activity was legitimate, then either confirm compromised (triggers forced password change) or dismiss if it’s a confirmed false positive (e.g., the user was actually traveling).

Licensing Requirements

Entra ID Protection requires Entra ID P2, included in:

• Microsoft 365 Business Premium (included)
• Microsoft 365 E5
• Entra ID P2 standalone

Risk-based CA policies (the integration between ID Protection detections and CA enforcement) require both Entra ID P1 (for CA) and P2 (for ID Protection). Business Premium includes both.

False Positive Management

The most common false positive in SMB environments is atypical travel triggered by users who legitimately travel between offices or work from client sites. Strategies to reduce noise:

• Add trusted named locations for offices and regularly-visited client sites
• For users who frequently travel, consider a sign-in risk policy that requires MFA (rather than blocking) for Medium risk — this allows legitimate users to self-remediate with a second factor rather than being blocked
• Train users to recognize the MFA prompt as a security check rather than a system error, so they complete it rather than abandoning the session

Entra ID Protection shifts your identity security posture from reactive (investigating breaches after they happen) to proactive (detecting and blocking compromised credential use in real time). For Berlin SMBs handling client data, this is the control that prevents a single phished password from becoming a full tenancy compromise.