Sign-in risk

[xNiklasJern]

Hi,

Is sign-in risk still a part of the conditional access? It seems like the condition has been removed from were you configure the CA policys and moved to identity protection? i noticed that because policyies I've configured on CA with sign-in risk, still exists, But the conditions has just disappeared on them.

Regards,

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 572d0eef-20ce-fe8e-68fe-6bec1bd15ab6
• Version Independent ID: b28b8d19-5475-c6a5-32f8-56c6fce1d74d
• Content: How to configure the sign-in risk policy in Azure Active Directory Identity Protection
• Content Source: articles/active-directory/identity-protection/howto-sign-in-risk-policy.md
• Service: active-directory
• GitHub Login: @MarkusVi
• Microsoft Alias: markvi

[MarileeTurscak-MSFT]

@xNiklasJern Thanks for your feedback! We will investigate and update as appropriate.

[SaurabhSharma-MSFT]

@xNiklasJern yes but you need to enable the Azure AD Identity protection to use it. Also, I am able to see sign-in risk conditions available in my existing policies. I also have checked by creating a new policy with sign-in risk conditions and I could see that available in conditional policy itself.

[xNiklasJern]

@SaurabhSharma-MSFT Thanks for for you answer. To see if I understands you correctly, the sign-in risk condition, shouldn't be visible as a condition. If you haven't a P2 license assigned to it and the AAD identity proection is enabled/onboarded?

Do you know if policies that has been designed to have a security risk, were the conditions has disappeared. Will it re-appear if assigning P2 licenses to the tenant?

One more at the same time, (maybe this is not your domain). But i noticed that as long as you have one P2 license assigned. All users show triggers alerts and etc in the identity protection console. Even if they don't have a license assigned. What would happen if these users are assigned a policy for secure risk, but isn't licensed?

Thanks in advance!

// Niklas

[SaurabhSharma-MSFT]

Yes, you need Premium P2 license to enable AAD identity protection and to enable sign-in risk. Once enabled you would be able to see it in the Conditions. For your second questions I guess yes and for your third question I believe the user won't have access to Azure AD Identity Protection blade.
However, I am assigning this to author to provide you more clarity on the billing and licenses part.

[ghost]

Hi @xNiklasJern, I have to admit that I'm a bit at loss... Could you please rephrase, what it is you are looking for?

Sign-in risk comes from Identity Protection. It has been moved into CA to provide more granularity. There is no relation to client side licenses.

What is missing?

Cheers, Markus

[xNiklasJern]

Hi @MarkusVi Thank you for taking your time.

Sign-in risk comes from Identity protection ,that we agree on :) but for to make the condition sign-in risk visible in CA, the tenant needs to have at least one AAD P2 license assigned.

What I noticed is that you only need on license assigned to make the identity protection available for all users in your organization (at least it show data on all users if you look in Identity protection). What would then happen if you design a CA policy with sign-in risk as a condition, if the policy then is assigned to both user with or without AAD P2 license, how will the policy affect the users? Will all users till be affected by this policy or will it fail for the users who are not licensed with AAD P2?

Thanks in advance!

Regards, Niklas

[ghost]

Hi @xNiklasJern, for conditional access, there is no client license involved. It is only a question of your tenant's license. This is inline with your observation. Another way of looking at this is that conditional access protects your SaaS apps - it is not really a service provided to your users.

please-close

[YutongTie-MSFT]

@xNiklasJern We will now proceed to close this thread. If there are further questions regarding this matter, please respond here and @YutongTie-MSFT and we will gladly continue the discussion.

[xNiklasJern]

Hi @YutongTie-MSFT ,

I'm not sure i feel like that I got my questions answer.

Since Saurabha verified that you need to have a AAD P2 license to enabled identity protection, hence make the condition sign-in risk available in CA.

But what will happen if CA policy then is created, assigned to all users. But not all users have a P2 licenses assigned. How will the policy effect these users.

Regards, Niklas

[YutongTie-MSFT]

@MarkusVi @SaurabhSharma-MSFT Can you please take a look?

@xNiklasJern I will reopen this issue for you.

[ghost]

Hi @xNiklasJern, I have to admit that I don't really understand what you are looking for. Could you please clarify? As already mentioned, there is no client license involved. You need a P2 tenant to configure the sign-in risk condition. There is no need to assign specific licenses to the users that are affected by a CA policy that includes the sign-in risk condition. CA is a service for your SaaS apps not for the users.

please-close

[xNiklasJern]

Hi again,

First, how can you @DiegoRamirez-MSFT close the ticket when Markus is cleary asking for more information.

@MarkusVi To get at P2 tenant you need to have assigned a license that include AAD P2, to your organization. Right? Either if this is included in any of the E5 licenses or if buy it as a stand alone product. i.e a license needs to be purchased for the sign-in risk conditions should be available in CA.

Should I intemperate your answer that as long you have made AAD P2 available within your tenant (which only requires one license) the sign in risk condition can be utilized on ALL users, with no dependencies if they are license or not to utilize a AAD P2 or not. In theory this means no matter how large your organization are, only one stand alone licens of AAD P2 makes the sign-in risk condition available for all users.

[ghost]

Hi @xNiklasJern, yes, your interpretation is correct

[danmyhre]

I don't believe this is correct: In theory this means no matter how large your organization are, only one stand alone licens of AAD P2 makes the sign-in risk condition available for all users.

Any user that is being protected or benefiting by the service would need to be licensed. Seeing the feature in the portal does not = licensing compliance.