https://nicolasuter.ch/tags/ir/Recent content in IR on Nicola SuterHugo -- gohugo.ioen-US© 2026 Nicola SuterSun, 22 Mar 2026 10:00:03 +0000https://nicolasuter.ch/entra-id-protection-stop-account-breach/Sun, 22 Mar 2026 10:00:03 +0000https://nicolasuter.ch/entra-id-protection-stop-account-breach/<p>All too often, my baseVISION (IR) colleagues and I find compromised cloud accounts where many security &lsquo;signals&rsquo; were missed—both from a prevention and detection perspective. In this blog post, I want to share some motivation and tips to help you adopt Entra ID Protection risk-based Conditional Access policies to increase your tenant&rsquo;s security posture, and ensure you don&rsquo;t miss the next obvious account breach.</p> <h2 class="relative group">Real-world motivation <div id="real-world-motivation" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#real-world-motivation" aria-label="Anchor">#</a> </span> </h2> <p>Anyone who has seen an AiTM campaign in the wild will probably notice the following details from the Entra ID sign-in logs of a compromised account:</p> <ul> <li>ResourceDisplayName: <code>OfficeHome</code></li> <li>UserAgent: <code>axios/1.13.2</code></li> </ul> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="Entra ID Protection - High - AiTM" src="https://nicolasuter.ch/content/images/2026/eidp/id-protection-high.png" ></figure> <p>The problem? Even though Entra ID Protection flagged the sign-in as &lsquo;High&rsquo; risk, the user could still sign in because MFA automatically remediated the sign-in risk (<code>userPassedMfaDrivenByRiskBasedPolicy</code>).</p> <h3 class="relative group">The bummer? <div id="the-bummer" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-bummer" aria-label="Anchor">#</a> </span> </h3> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="Report Only ID Protection Policy" src="https://nicolasuter.ch/content/images/2026/eidp/id-protection-report-only.png" ></figure> <p>The environment had a Conditional Access policy in place that would have blocked users with high sign-in risk, but the policy was only in <em>report-only</em> mode, so the user could sign in without any issues.</p>