Entra ID: One Policy to Stop MFA Hijacks

Key insights

• Conditional Access policy to stop MFA hijacks: Create a policy in Microsoft Entra that prevents risky accounts from adding or changing MFA methods.
  This stops an attacker who stole a password from registering new authentication methods and taking over accounts.
• MFA registration protection — how it works: Target users with elevated User Risk signals and block the specific registration actions or access to authentication method endpoints.
  Apply the block as a grant control so attackers cannot complete new method setup even if they have credentials.
• User Risk vs Sign-in Risk:
  User Risk flags an account that looks compromised over time. Sign-in Risk evaluates a single authentication event.
  Use User Risk to stop MFA changes and Sign-in Risk to block suspicious logins in the moment.
• Bonus policy — Block sign-ins on high risk: Create a second Conditional Access policy that blocks access when Sign-in Risk is high.
  This layer prevents access if the sign-in itself looks malicious, complementing the MFA-registration block.
• Licensing, testing, and rollout: Risk-based controls require Entra/Azure AD premium features.
  Start in report-only or pilot groups, validate behavior, and refine conditions before broad enforcement.
• Operational best practices: Monitor Identity Protection alerts, exclude break-glass or emergency admin accounts, and keep recovery methods tested.
  Combine these policies with regular MFA enforcement and a fast incident response plan.

Video Snapshot

In a concise YouTube video, author Jonathan Edwards highlights a single, often-missed Conditional Access control that can stop attackers from hijacking multi-factor authentication methods. He demonstrates how to configure this policy in Microsoft Entra so that risky accounts cannot register new MFA methods even if an attacker already knows the user’s password. Consequently, the video positions this control as a critical addition to typical Microsoft 365 defenses. Moreover, Edwards supplements the core lesson with a secondary policy that blocks risky sign-ins to add another layer of protection.

Why Protecting MFA Registration Matters

Edwards argues that protecting MFA registration is vital because stolen passwords alone no longer guarantee account takeover. If attackers can register new authentication methods, they can bypass the extra step that MFA provides, which makes registration protection a direct line of defense. Therefore, the policy shifts the defensive posture from simply verifying logins to controlling how and when authentication factors are added.

Furthermore, he explains that many admins focus on sign-in enforcement but overlook the registration lifecycle, which remains an attractive attack surface. By blocking registrations for risky users, organizations reduce the chance that stolen credentials will convert to full access. As a result, the measure serves as preventive hardening rather than reactive mitigation after an account shows suspicious activity.

The Missing Conditional Access Policy

At the heart of the video is a Conditional Access policy configured to deny the registration of new MFA methods for accounts deemed risky. Edwards walks through the policy in Microsoft Entra, showing how to use risk signals to limit who can add authentication methods and when they can do so. This setup recognizes that identity protection is not only about who signs in but also about who can change the means of authentication.

He also notes that pairing this policy with a secondary rule that blocks high-risk sign-ins creates a layered defense in depth. Thus, administrators gain both preventive and responsive controls: one stops method enrollment, while the other stops suspicious access attempts outright. Consequently, enterprise environments can better manage identity risk without relying solely on password complexity or end-user vigilance.

User Risk vs Sign-in Risk Explained

Edwards clarifies the distinction between User Risk and Sign-in Risk, which is central to choosing the right controls. User Risk evaluates the likelihood that an account has been compromised based on historical signals, while Sign-in Risk evaluates a specific authentication attempt for anomalies. Therefore, using both types of signals enables policies that either prevent future attacks or stop active malicious sign-ins.

He emphasizes, however, that these risk scores are probabilistic and require tuning to the organization’s context. Overly aggressive settings can lock out legitimate users, whereas overly permissive ones leave holes for attackers. As a result, administrators must balance sensitivity with usability to ensure both security and productivity.

Implementing the Policies: Practical Steps

Edwards provides step-by-step guidance in the video for building the two policies: block MFA registration for risky accounts, and block high-risk sign-ins entirely. He shows the relevant conditions and actions in Microsoft Entra, illustrating how to target specific user groups and define risk thresholds. Consequently, viewers can reproduce the setup while adapting it to their licensing and business needs.

At the same time, Edwards reminds viewers to test policies in audit mode before enforcement to avoid unexpected lockouts. He recommends staged rollouts and monitoring to measure impact and adjust thresholds. Thus, administrators can enforce stronger protections without abruptly disrupting legitimate workflows.

Trade-offs and Operational Challenges

Edwards does not shy away from the trade-offs involved: tighter risk-based rules improve security but can generate false positives that frustrate users. For example, frequent travel, VPN use, or delegations may trigger risk signals and cause legitimate registration attempts or sign-ins to be blocked. Consequently, organizations must weigh the cost of potential help-desk overhead against the benefit of reduced account takeovers.

He also discusses practical challenges such as licensing requirements, signal latency, and integration with existing identity processes. Because not all environments have the same Entra features available, admins must adapt the recommended policies to what their licenses allow. Therefore, while the policy is powerful, its effective use depends on careful planning, monitoring, and iterative tuning.

Conclusion

Overall, the video by Jonathan Edwards delivers a clear, actionable message: protect the registration of authentication methods and combine that with blocking risky sign-ins for better Microsoft 365 security. The guidance balances technical steps with operational advice, stressing testing and staged deployment to minimize disruption. As a result, security teams can tighten identity protection while managing trade-offs between risk sensitivity and user experience.

In short, this practical walkthrough makes a compelling case for adding the missing Conditional Access policy to an organization’s identity defense plan. By doing so, organizations can reduce the risk of attackers converting stolen credentials into persistent access, and they can implement a layered response that reflects real-world threats.

Keywords

stop MFA hijacks, conditional access MFA policy, prevent MFA fatigue attacks, Azure AD conditional access, MFA bypass protection, secure multi-factor authentication, conditional access MFA rule, block MFA hijacking techniques