Getting started with Conditional Access: End user protection

Since a few weeks Microsoft started adding three new Conditional Access policies. Today we take a closer look at the following new policy: Baseline policy: End user protection

This policy protects users by requiring multi-factor authentication (MFA) during risky sign-in attempts to all applications. Users with leaked credentials are blocked from signing in until a password reset.

Once the policy is enabled, users are required to register for MFA within 14 days of their first login attempt. The default method of MFA registration is the Microsoft Authenticator App.

What I really like about this policy is that users shouldn’t be prompted with MFA every single time they sign-in. Authentication requests that reflect normal user behavior, such as signing in from the same device from the same location, have a low chance of compromise. Only sign-ins that are deemed risky and show characteristics of a bad actor should be prompted with MFA challenges.

How to Activate the Policy:

1. Navigate to the Azure portal >
2. Go to the [Azure AD]
3. Choose [Conditional Access]
4. Click the policy: [Baseline policy: End user protection (Preview)]
5. Select “Enable Policy” > [ON]
*At the moment you can’t add exclusions. This was possible a while ago but the functionality is still in preview.

Compromised accounts

Compromised user accounts will be blocked until their password is reset and the risk event have been dismissed.

You can unblock a user trough the Azure portal and then navigate to: [Azure Active Directory] > [Users flagged for risk]

Test the Policy

When the policy is activated you can test it by logging in to for example the

You will see a different prompt then usual, because now you can skip the Multi-factor Authentication for 14 days. After that you will be forced to register with the Microsoft Authenticator.

You can also combine the policy with the (new) enhanced registration page to configure Multi-factor Authentication & Self Service Password Reset at the same time.

This is also still in preview and can be activated at:
[Azure portal] -> [User Settings] -> [User Feature Previews]

Some final takeaways:
1. This policy applies to guest users also.
2. this policy blocks all authentication requests made to administrator accounts from legacy protocols.
3. When possible always block legacy authentication for all other users. (Hint: Baseline policy: Block legacy authentication)

Thanks for reading, always remember that technology that is still in preview can change anytime.

Leave a Reply

Your email address will not be published.