Conditional Access

Conditional Access Policies

  • Reporting Only

  • Enforced Mode

  • Can be combined with Identity Protection

    • If a user with a medium risk signs in, require MFA or require user to reset credentials.

Full scope of CAP is available with P1 or P2 license.

Identity Protection:

  • Evaluates risk of all authentications, interactive or non-interactive.

  • Requires P2 license.

  • Often too noisy to investigate as a SOC, but catches TA often. Hard to investigate.

  • Risky User:

    • User has creds uploaded to dark web or creds exposed on github.

  • Risky Sign-in

    • User signs in from new location or new device.

Last updated