Quickstart: Block access when a session risk is detected with Azure Active Directory Conditional Access
To keep your environment protected, you might want to block suspicious users from sign-in. Azure Active Directory (Azure AD) Identity Protection analyzes each sign-in and calculates the likelihood that a sign-in attempt was not performed by the legitimate owner of a user account. The likelihood (low, medium, high) is indicated in form of a calculated value called sign-in risk levels. By setting the sign-in risk condition, you can configure a Conditional Access policy to respond to specific sign-in risk levels.
This quickstart shows how to configure a Conditional Access policy that blocks a sign-in when a configured sign-in risk level has been detected.
If you don't have an Azure subscription, create a free account before you begin.
To complete the scenario in this tutorial, you need:
- Access to an Azure AD Premium P2 edition - While Conditional Access is an Azure AD Premium P1 capability, you need a P2 edition because the scenario in this quickstart requires Identity Protection.
- Identity Protection - The scenario in this quickstart requires Identity Protection to be enabled. If you don't know how to enable Identity Protection, see Enabling Azure Active Directory Identity Protection.
- Tor Browser - The Tor Browser is designed to help you preserve your privacy online. Identity Protection detects a sign-in from a Tor Browser as sign-ins from anonymous IP addresses, which have a medium risk level. For more information, see Azure Active Directory risk events.
- A test account called Alain Charon - If you don't know how to create a test account, see Add cloud-based users.
Test your sign-in
The goal of this step is to make sure that your test account can access your tenant using the Tor Browser.
To test your sign-in:
- Sign in to your Azure portal as Alain Charon.
- Sign out.
Create your Conditional Access policy
The scenario in this quickstart uses a sign-in from a Tor Browser to generate a detected Sign-ins from anonymous IP addresses risk event. The risk level of this risk event is medium. To respond to this risk event, you set the sign-in risk condition to medium. In a production environment, you should set the sign-in risk condition either to high or to medium and high.
This section shows how to create the required Conditional Access policy. In your policy, set:
|Users and groups||Alain Charon|
|Cloud apps||All cloud apps|
To configure your Conditional Access policy:
Sign in to your Azure portal as global administrator, security administrator, or a Conditional Access administrator.
In the Azure portal, on the left navbar, click Azure Active Directory.
On the Azure Active Directory page, in the Security section, click Conditional Access.
On the Conditional Access page, in the toolbar on the top, click Add.
On the New page, in the Name textbox, type Block access for medium risk level.
In the Assignment section, click Users and groups.
On the Users and groups page:
- Click Select users and groups, and then select Users and groups.
- Click Select.
- On the Select page, select Alain Charon, and then click Select.
- On the Users and groups page, click Done.
Click Cloud apps.
On the Cloud apps page:
- Click All cloud apps.
- Click Done.
On the Conditions page:
- Click Sign-in risk.
- As Configure, click Yes.
- As sign-in risk level, select Medium.
- Click Select.
- On the Conditions page, click Done.
In the Access controls section, click Grant.
On the Grant page:
- Select Block access.
- Click Select.
In the Enable policy section, click On.
Evaluate a simulated sign-in
Now that you have configured your Conditional Access policy, you probably want to know whether it works as expected. As a first step, use the Conditional Access what if policy tool to simulate a sign-in of your test user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
When you run the what if policy tool for this scenario, the Block access for medium risk level should be listed under Policies that will apply.
To evaluate your Conditional Access policy:
On the Conditional Access - Policies page, in the menu on the top, click What If.
Click User, select Alan Charon on the Users page, and then click Select.
As Sign-in risk, select Medium.
Click What If.
Test your Conditional Access policy
In the previous section, you have learned how to evaluate a simulated sign-in. In addition to a simulation, you should also test your Conditional Access policy to make sure that it works as expected.
To test your policy, try to sign-in to your Azure portal as Alan Charon using the Tor Browser. Your sign-in attempt should be blocked by your Conditional Access policy.
Clean up resources
When no longer needed, delete the test user, the Tor Browser, and the Conditional Access policy:
If you don't know how to delete an Azure AD user, see Delete users from Azure AD.
To delete your policy, select your policy, and then click Delete in the quick access toolbar.
For instructions to remove the Tor Browser, see Uninstalling.