CISA.MS.AAD.2.3 - Sign-ins detected as high risk SHALL be blocked.
Overview
Sign-ins detected as high risk SHALL be blocked.
Rationale: Blocking high-risk sign ins may prevent compromised sign-ins from accessing the tenant. This prevents compromised sign-ins from accessing the tenant.
Remediation action:
Create a Conditional Access policy blocking sign-ins determined high risk by the Identity Protection service. Configure the following policy settings in the new Conditional Access policy as per the values below:
- Users > Include > All users
- Target resources > Cloud apps > All cloud apps
- Conditions > Sign-in risk > High
- Access controls > Grant > Block Access
Note: While CISA recommends blocking, the Microsoft recommendation is to require multi-factor authentication for high-risk sign-ins.
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.2.3 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P2 |
| PowerShell test | Test-MtCisaBlockHighRiskSignIn |
| Tags | CISA, CISA.MS.AAD.2.3, Entra ID P2, MS.AAD, MS.AAD.2.3 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaBlockHighRiskSignIns.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaBlockHighRiskSignIn.ps1