Conditional access for risky sign-ins
Demonstrate that the organization enforces conditional access policies that detect and respond to risky sign-in attempts with appropriate authentication challenges or access denials based on defined risk thresholds.
Description
What this control does
Conditional access for risky sign-ins applies adaptive authentication controls based on real-time risk signals such as anomalous login locations, unfamiliar devices, credential leak intelligence, or atypical user behavior patterns. When an identity provider or access management platform detects elevated risk scores during authentication attempts, this control enforces additional verification steps (e.g., multi-factor authentication, password reset, session termination) or blocks access entirely. This adaptive approach balances security with user experience by applying friction only when risk warrants intervention, reducing the attack surface for compromised credentials and account takeover scenarios.
Control objective
What auditing this proves
Demonstrate that the organization enforces conditional access policies that detect and respond to risky sign-in attempts with appropriate authentication challenges or access denials based on defined risk thresholds.
Associated risks
Risks this control addresses
- Successful account takeover through credential stuffing or brute force attacks originating from anomalous locations or devices
- Unauthorized access by attackers using leaked or phished credentials that have not yet been reset
- Session hijacking through token theft or replay attacks when initial authentication occurs from compromised endpoints
- Privilege escalation by malicious insiders accessing critical systems from unusual geographic locations without additional verification
- Data exfiltration by threat actors exploiting weak authentication mechanisms during high-risk login scenarios
- Compliance violations due to insufficient identity verification for sensitive data access under risk conditions
- Lateral movement within networks following initial compromise when risky authentication events are not flagged or blocked
Testing procedure
How an auditor verifies this control
- Obtain the current conditional access policy configuration exports from the identity provider platform (e.g., Azure AD, Okta, Ping Identity) including risk-based policies and their rule definitions.
- Review the risk detection mechanisms configured within the identity platform, identifying which signals trigger risk scoring (impossible travel, anonymous IP, password spray, leaked credentials, unfamiliar properties).
- Identify the risk thresholds (e.g., low, medium, high) that trigger conditional access enforcement actions such as MFA challenges, password changes, or session blocking.
- Select a sample of 20-30 authentication events from the past 90 days flagged as risky sign-ins from authentication logs, ensuring representation across different risk levels and detection reasons.
- For each sampled risky sign-in event, verify that the conditional access policy was applied by cross-referencing authentication logs, policy decision logs, and user session records to confirm enforcement actions occurred.
- Test the responsiveness of conditional access policies by simulating risky sign-in scenarios (e.g., VPN-based location changes, credential use from Tor exit nodes, or attempts from flagged IP addresses) in a controlled test environment.
- Review exclusion lists or bypass configurations within conditional access policies to confirm that exempted accounts (if any) are documented, approved, and subject to compensating controls.
- Interview identity and access management personnel to confirm processes for tuning risk thresholds, investigating false positives, and escalating persistent risky sign-in patterns to security operations teams.
Where this control is tested