Conditional Access & Identity Protection
Background
I wanted to better understand how Microsoft Entra Identity Protection works in practice and how risk-based Conditional Access can be used to protect user accounts.
Instead of requiring MFA for every sign-in, I wanted to see how Entra reacts when a user or a sign-in is considered risky.
What I Built
In this lab, I configured:
- Microsoft Entra Identity Protection
- Risk-based Conditional Access policies
- MFA using Microsoft Authenticator
- A dedicated test account for simulating different sign-in scenarios
What I Tested
I tested several scenarios, including:
- VPN connections
- Incognito/InPrivate sessions
- Multiple new sessions
- Repeated sign-ins
The goal was to observe whether Entra would classify the user or sign-ins as risky and how Conditional Access would respond.
Results
The lab gave me a better understanding of:
- The difference between User Risk and Sign-In Risk
- How Identity Protection detects unusual behavior
- How Conditional Access can respond dynamically to risk levels
- How the What If Tool can be used to validate policies before production deployment
Reflection
What I found most interesting was that Conditional Access is not only about allowing or blocking access.
By combining it with Identity Protection, access decisions can be adjusted based on the risk level of a user or sign-in. This allows organizations to apply additional controls only when they are actually needed, rather than treating every sign-in the same way.