Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Level 3 Contributor

Identity Protection High Risk

Hi, we currently use AAD P2 with Identity Protection. It is setup when High Risk is detected, the password change is required from user and user is blocked to time when he go to SSPR.


I saw that after enforcement date for MFA for CSP, every sign-in to CSP tenant will be marked as High Risk to trigger baseline End User Protection.


But what with this Identity Protection. In this state it require MFA from Baseline and SSPR from Risk Policy. So I think the result will be password change every sign-in. So, should we stop use these rules in Identity Protection?


Or it will be working differently?


@WolfKPCS the behavior between the two will be similar and will result in the same outcome. When a compromised account is detected it will be locked, flagged for risk, require the user reset using a tool like SSPR, and an administrator to clear the risk. Since you have Azure AD P2 you can implement MFA with conditional access or through the baseline protection policies. Based on your configuration it might be best for you to enforce MFA for each user using conditional access.

Level 3 Contributor

Hi @idwilliams, yes. But Identity Protection using a "High Risk" event from AAD. But when you change that every CSP sign-in is a "High Risk" to trigger "Baseline Policy", it will also trigger this policy.


In my test the Identity Protection is higher requirement and SSPR get triggered, not MFA. So user cannot sign-in without need to password change. And because the same will apply to administrator accounts, who clear the risk, because all user will be in the same state.


We currently enforcing MFA based on Conditional Access. Compliant Intune Device allow MFA save for 14 days, sign-in from office when access badges used does not require MFA, MFA excluded for IP with service accounts combinations, sign-in externally always require MFA and only from allowed countries. Risks automatically dismissed with Identity Protection, Password Protection in place, people using Authenticatior, FIDO or Hello from Business. Guest accounts depends on their setup. Everything just works. Our Polycom, Surface Hub, our Dynamics CRM with CSP integrations, our meeting room apps with EWS and really mean that this setup is secured.


So, really need some statements how the per-user, CA policy, baseline CA policy and the "High Risk for CSP tenants" combined with Identity Protection will work.


Lot of customers were upset that they must bought new device for Polycom when switch to Teams, we also bought them. And now we can throw away all of this nice pice of Microsoft technology to showcase to our customer in CSP, because some CSP screw their security and someone from Microsoft made this non technically considered solution to this problems. When Microsoft do the same for their own tenant, tell me.


Cc: @JanoschUlmer, because he maybe have some solutions from AAD to Identity Protection or at least can track this question.


It will be ensured each access goes through MFA, it is not the plan to trigger password reset for every login. So -  using Identity Protection terms just to illustrate - the sign-in risk is considered reg. CSP, not the user risk. Details of the implementation will change as baseline policies evolve - so I'm using sign-in risk and user risk really just for illustration that Partner should not be concerned that every login requires to set up a new password.


Coming back to the question - what do you want to achieve? If you want to use Identity Protection to configure your own policies to assess risk, you can still do so. You can setup your own user risk policies if you want to, and if this triggers password reset it is up to your definition - the important thing is that you still ensure that MFA is used for every access attempt. Since custom Identity Protection policies can only be used to trigger MFA if a risk uis deteced, it might still be useful to have a "normal" conditional access policy additionally to identity protection policies that requires every user, regardless of risk level, to go through MFA. 

So, Identity Protection is an optional, additional layer, to fulfill the Partner Center Security requirements you will need normal conditional access or per-user MFA also. Only the special baseline policies allow both at the same time - having some identity protection features + ensure MFA is used every time. 


Example on using combination of policies:

 - Use conditional access to trigger MFA for one group of user account. Optionally with additional controls & conditions like only allowing certain location.

 - Enable MFA per user for all user accounts were you need to use app passwords (Same user can also be target of a conditional access rule - I tested this successfully)

 - Since you have P2 licenses I would recommend to enable you own identity protection policies for user risk - for all users, independently from any MFA enforcement. You can of course also use the baseline policies, but P2 gives you the option to customize the risk levels.


The decision to require MFA for every user account was a very technical decision, it is based on the fact how lateral movements of attacks are happening. Also the decision not to allow exceptions and not allowing to consider internal networks as being secure was based on technical considerations.

It is true however, that this decision was made, had to be made, without having immediate answers or solutions for every other product& service.  Teams Rooms is one of that - where engineering is already on working on a solution (Don't have details on how those will look like in detail though).



Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Level 3 Contributor



I wanted to reach out and ask about the way the baseline performace is intended to perform based on the following understand.


  • All Conditioonal access Polcies run checks and exist together
  • Baseline Policy will only MFA when use is being looked at for Risky sign in.
  • My Custome conditional access is set to MFA on every log in.

I have run the powershell suggested to check the transactions of the users based on the security score. However i am seeing users who are successful log ins without MFA challenge. When receiving the log in's, the user are showing failed on the Custom CA and succeeding on the baseline user protection policy. I had enabled SSPR and baseline policy due to my MSOl account breaking after adding it to my Custom conditional policy that MFA's everytime and has no exclused location or Accounts.



Is the expectation that user baseline is going to override anything custom i have in my tenant? If so, then what is the benefit of having Azure P1 for CA if it is overridden by a policy i was forced to use by enabling the baseline policy? Is this working as intended? It appears my security score feels that i still have users that arent compliant and baseline user protection is enabled. I had engaged support per the FAQ when the on prem MSOL stopped syncing after MFA Custom CA.

Thank you,


@dferrell : Was in vacation, otherwise I would have answered earlier.

I have done some testing inthe meantime, and a custom CA policy did kick in while baseline policy was enabled. Note, that if you enforce MFA via your own conditional access rule for evers user, there is no obligation to enable baseline policies also. Still enabling both should work.


Did you already get some feedback from support reg. this?

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Level 3 Contributor

Hello Yes,


I worked with Support and the Azure AD MSOL account would not function if the Custom CA was enabled and did not function until i enabled the baseline user protection policy at the recommendation of support. The account was created when Azure AD Connect was installed and is not custom.


Turning on Baseline Support was the recommendation of Support. Once i turned that on, i observed that the Custome CA policies were not kicking in and Baseline was applying. I have also seen Baseline apply to users and the Custome CA shows a failure and the Log in Shows failure in the logs but was successful. Is this due to a legacy authentication (See attached Screenshot)? This does not apply for all users, this appears to be an Android mobile and our users are using Outlook Mobile active sync connection.


Also with the accounts that never log in like resource rooms, Sharepoint mailboxes etc that will be covered by the baseline policy but count against us in security score as not being registered for MFA. Is that going to be an exclusion when we do our self audits?


I appreciate the information.