Quickstart: Block access when a session risk is detected with Azure Active Directory Conditional Access

To keep your environment protected, you might want to block suspicious users from sign-in. Azure Active Directory (Azure AD) Identity Protection analyzes each sign-in and calculates the likelihood that a sign-in attempt was not performed by the legitimate owner of a user account. The likelihood (low, medium, high) is indicated in form of a calculated value called sign-in risk levels. By setting the sign-in risk condition, you can configure a Conditional Access policy to respond to specific sign-in risk levels.

This quickstart shows how to configure a Conditional Access policy that blocks a sign-in when a configured sign-in risk level has been detected.

Create policy

If you don't have an Azure subscription, create a free account before you begin.


To complete the scenario in this tutorial, you need:

  • Access to an Azure AD Premium P2 edition - While Conditional Access is an Azure AD Premium P1 capability, you need a P2 edition because the scenario in this quickstart requires Identity Protection.
  • Identity Protection - The scenario in this quickstart requires Identity Protection to be enabled. If you don't know how to enable Identity Protection, see Enabling Azure Active Directory Identity Protection.
  • Tor Browser - The Tor Browser is designed to help you preserve your privacy online. Identity Protection detects a sign-in from a Tor Browser as sign-ins from anonymous IP addresses, which have a medium risk level. For more information, see Azure Active Directory risk detections.
  • A test account called Alain Charon - If you don't know how to create a test account, see Add cloud-based users.

Test your sign-in

The goal of this step is to make sure that your test account can access your tenant using the Tor Browser.

To test your sign-in:

  1. Sign in to your Azure portal as Alain Charon.
  2. Sign out.

Create your Conditional Access policy

The scenario in this quickstart uses a sign-in from a Tor Browser to generate a detected Sign-ins from anonymous IP addresses risk detection. The risk level of this risk detection is medium. To respond to this risk detection, you set the sign-in risk condition to medium. In a production environment, you should set the sign-in risk condition either to high or to medium and high.

This section shows how to create the required Conditional Access policy. In your policy, set:

Setting Value
Users and groups Alain Charon
Cloud apps All cloud apps
risk Medium
Grant Block access

Create policy

To configure your Conditional Access policy:

  1. Sign in to your Azure portal as global administrator, security administrator, or a Conditional Access administrator.

  2. In the Azure portal, on the left navbar, click Azure Active Directory.

    Azure Active Directory

  3. On the Azure Active Directory page, in the Security section, click Conditional Access.

    Conditional Access

  4. On the Conditional Access page, in the toolbar on the top, click Add.


  5. On the New page, in the Name textbox, type Block access for medium risk level.


  6. In the Assignment section, click Users and groups.

    Users and groups

  7. On the Users and groups page:

    Conditional Access

    1. Click Select users and groups, and then select Users and groups.
    2. Click Select.
    3. On the Select page, select Alain Charon, and then click Select.
    4. On the Users and groups page, click Done.
  8. Click Cloud apps.

    Cloud apps

  9. On the Cloud apps page:

    Conditional Access

    1. Click All cloud apps.
    2. Click Done.
  10. Click Conditions.

    Access controls

  11. On the Conditions page:

    Sign-in risk level

    1. Click Sign-in risk.
    2. As Configure, click Yes.
    3. As sign-in risk level, select Medium.
    4. Click Select.
    5. On the Conditions page, click Done.
  12. In the Access controls section, click Grant.

    Access controls

  13. On the Grant page:

    Conditional Access

    1. Select Block access.
    2. Click Select.
  14. In the Enable policy section, click On.

    Enable policy

  15. Click Create.

Evaluate a simulated sign-in

Now that you have configured your Conditional Access policy, you probably want to know whether it works as expected. As a first step, use the Conditional Access what if policy tool to simulate a sign-in of your test user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

When you run the what if policy tool for this scenario, the Block access for medium risk level should be listed under Policies that will apply.


To evaluate your Conditional Access policy:

  1. On the Conditional Access - Policies page, in the menu on the top, click What If.

    What If

  2. Click User, select Alan Charon on the Users page, and then click Select.


  3. As Sign-in risk, select Medium.


  4. Click What If.

Test your Conditional Access policy

In the previous section, you have learned how to evaluate a simulated sign-in. In addition to a simulation, you should also test your Conditional Access policy to make sure that it works as expected.

To test your policy, try to sign-in to your Azure portal as Alan Charon using the Tor Browser. Your sign-in attempt should be blocked by your Conditional Access policy.

Multi-factor authentication

Clean up resources

When no longer needed, delete the test user, the Tor Browser, and the Conditional Access policy:

  • If you don't know how to delete an Azure AD user, see Delete users from Azure AD.

  • To delete your policy, select your policy, and then click Delete in the quick access toolbar.

    Multi-factor authentication

  • For instructions to remove the Tor Browser, see Uninstalling.

Next steps