Why stolen passwords still work and how to shut the door

Compromised credentials fuel most successful Microsoft 365 breaches. Attackers buy leaked passwords, log in from a new device, and—unless MFA fires—are inside in seconds. Microsoft Entra ID includes a smarter defense: Risk-Based Conditional Access. It watches every sign-in, scores the risk in real time (impossible travel, malware IPs, leaked passwords), and blocks or challenges only the suspicious sessions. Follow the guide below and you’ll have it live in under an hour.

Prerequisites

• Microsoft Entra ID P2 (or trial): This license unlocks Identity Protection risk signals, the engine behind risk-based decisions.

• Security Administrator role: You’ll need this role to create and manage Conditional Access policies.

• Tenant-wide MFA: The policy will challenge risky sign-ins with MFA, so multifactor authentication must already be enabled for users.

1 — Confirm Identity Protection is on

1. Sign in to the Microsoft Entra admin center.

2. Navigate to ID Protection > Dashboard.

3. If you see risky activity dashboards, the feature is live. If not, assign the P2 license to your test account.

   
   

2 — Create the Risk-Based Conditional Access policy

1. Open the Microsoft Entra admin center and sign in with an account that has Conditional Access admin rights.

2. Browse to Entra ID > Conditional Access.

3. Select New policy.

4. Give the policy a clear, descriptive name that fits your naming convention.

5. Under Assignments, select Users or workload identities.

   1. Include: All users.

   2. Exclude: your break-glass or emergency-access accounts.

   3. Select Done.

6. Target resources: under Cloud apps or actions, keep All resources selected.

7. Under Conditions > Sign-in risk, set Configure to Yes.

   1. Under Select the sign-in risk level this policy will apply to, select High and Medium.

   2. Select Done.

8. Under Access controls > Grant, select Grant access.

   1. Select Require authentication strength, then select the built-in Multifactor authentication authentication strength from the list.

   2. Select Select.

9. Under Session.

   1. Select Sign-in frequency.

   2. Ensure Every time is selected.

   3. Select Select.

10. Confirm your settings and set Enable policy to Report-only.

11. Select Create to create to enable your policy.

3 — Test the policy

Use a second device or a public VPN/TOR endpoint to sign in with your test account; Microsoft typically flags these sessions as Medium risk.

To verify how Conditional Access behaved, open the Sign-in logs in the Entra admin center and inspect the event. The details pane shows which policies ran in report-only mode, which ones applied, and why.

Once you evaluate the policy, you can move the Enable policy toggle from Report-only to On.

4 — Monitor & fine-tune

• ID Protection dashboards display how many sign-ins were interrupted.

• Tune the policy: raise the threshold, add location or device filters, or change the action to Block for High risk only.

• Keep the rule audited—attackers sometimes target break-glass exclusions.

Outcome

With Risk-Based Conditional Access live, stolen passwords alone can’t open the front door. Legitimate users sign in normally; risky sessions hit an MFA wall or get blocked outright—no help-desk overload, no blanket geo blocks.

How PlexHosted helps you

PlexHosted builds and oversees end-to-end Microsoft 365 security for SMBs—covering identities, devices, data-sharing, and cloud apps. We align the controls with your risk profile, deploy the policies, and monitor them continuously, so threats are blocked before you notice.

Book a quick call to learn how quickly we can secure your tenant.