*
en | de
Pro User
Timespan
explore our new search
Conditional Access: Risk Remediation
Microsoft Entra
Jan 18, 2026 9:52 PM

Conditional Access: Risk Remediation

by HubSite 365 about Nick Ross [MVP] (T-Minus365)

AdministratorMicrosoft EntraM365 AdminLearning Selection

Microsoft Entra ID and Conditional Access detect impossible travel and block attackers targeting SharePoint and Teams

Key insights

  • Require risk remediation: a new Conditional Access grant control in Microsoft Entra that automatically blocks high-risk sign-ins and starts Microsoft-managed remediation flows.
    It revokes sessions, forces re-authentication, and applies stronger authentication settings to stop attackers before they access email, SharePoint, or Teams.
  • Risk detection and types: Entra uses machine learning signals to evaluate sign-in risk (per login) and user risk (aggregated).
    Common signals include impossible travel and other anomalous behavior that raise risk to Medium or High.
  • How remediation works with passwordless and sessions: the flow supports all authentication methods without forcing password fallbacks.
    Sessions are revoked and users must complete the appropriate remediation (MFA, SSPR, or passwordless re-auth) to move from "At risk" to "Remediated."
  • Policy basics in Conditional Access: target users/apps, set conditions for sign-in or user risk, then select Require risk remediation as the grant control.
    Exclude emergency access accounts and verify licensing and prerequisites before enabling broad policies.
  • Migration and timeline: legacy Entra ID Protection risk policies are now read-only and will retire on October 1, 2026.
    Admins must recreate equivalent Conditional Access policies to retain risk protections—there is no automatic migration.
  • Benefits for MSPs and security teams: automated blocking reduces breach windows and lowers alert fatigue and helpdesk load.
    The feature focuses on fast, automated remediation so teams can stop identity attacks minutes or seconds after detection.

Video summary and author

Video summary and author

Nick Ross [MVP] (T-Minus365) presents a hands-on walkthrough of Microsoft Entra ID’s updated risk remediation options in a recent YouTube video. He rewinds a simulated incident to show how Microsoft detects impossible travel and how Entra ID can stop attackers before they reach email, SharePoint, or Teams. The video focuses on the practical steps administrators and MSPs can take, rather than theory, and explains why the new controls matter in real incidents.

How Entra detects and scores risk

The video explains that Entra calculates risk using signals like location, device, and prior behavior to assign sign-in risk and user risk levels. Ross shows examples where fast travel between distant locations becomes an indicator of compromise, and he describes how the service aggregates anomalies to change a user’s overall risk profile. As a result, organizations can see both immediate login risk and longer-term user risk and respond accordingly.

What the new Require risk remediation control does

Ross demonstrates the new Conditional Access grant control called Require risk remediation, which bundles remediation steps and session revocation into a single policy option. When a sign-in or user is flagged at the policy threshold, Entra triggers a Microsoft-managed remediation flow that can prompt re-authentication, require strong authentication methods, or force password reset-like recovery without manual admin action. Consequently, the approach reduces the time attackers have to pivot inside environments by revoking sessions and forcing immediate remediation.

Configuring policies and practical steps

In the walkthrough, he navigates the Microsoft Entra admin center showing how to target users, set cloud app scope, and apply the new remediation grant. He emphasizes excluding break-glass accounts and recommends applying policies broadly to cover all cloud apps to prevent a blind spot in protection. Moreover, Ross clarifies that remediation supports all authentication methods, including passwordless, and that Conditional Access now applies authentication strength and tighter sign-in frequency to revoke sessions where needed.

Licensing, migration, and timelines

Ross highlights an important operational point: legacy Entra ID Protection risk policies are now read-only and will retire on October 1, 2026. He advises teams to plan migration because there is no automatic transfer of legacy policies and losing coverage could leave users exposed. At the same time, organizations must balance migration speed against careful testing and policy tuning to avoid unnecessary user friction or gaps in protection.

Tradeoffs: automation versus accuracy

The video stresses tradeoffs between rapid automated blocking and the risk of false positives that can disrupt legitimate users. Automated remediation cuts response time dramatically, but it can also increase helpdesk volume if thresholds are too sensitive. Therefore, Ross recommends tuning policy thresholds, excluding essential accounts, and using telemetry to refine signals so that automation helps operations rather than creating new problems.

Handling passwordless and session-based attacks

Ross explains that the new remediation flows intentionally support modern authentication like passwordless, so users are guided through measured revalidation instead of reverting to passwords. This design reduces fallback-driven weaknesses while still revoking sessions and forcing re-authentication to clear risk. Nevertheless, session-based attacks and token theft remain challenging, and teams must combine remediation with good session policies and monitoring to limit replay or lateral access.

Operational challenges for MSPs and security teams

For managed service providers, the video offers practical guidance but also warns about complexity at scale: many tenants require unique tuning, testing, and exception handling to avoid breaking business processes. MSPs must therefore invest time in staging, documenting exception lists, and communicating changes to customers so that automated blocks do not cause outages. In short, the power of automation comes with an operational overhead that teams should plan for.

Recommendations and next steps

Ross encourages teams to adopt the new Conditional Access remediation controls and to treat the rollout as a phased program with clear rollback plans and monitoring. He also suggests collecting feedback from users and support teams to refine thresholds and to use the remediation telemetry to validate policy effectiveness. Consequently, organizations can move from alert-driven workflows to faster, automated responses while maintaining business continuity.

Conclusion

Overall, the video gives a clear, practical guide for stopping identity attacks automatically by using Require risk remediation in Conditional Access. It balances technical detail with real-world advice about migration, tuning, and the tradeoffs between security and user experience. As Ross demonstrates, the feature can significantly shorten response time to identity threats, but successful deployment requires careful planning and ongoing adjustment.

Microsoft Entra - Conditional Access: Risk Remediation

Keywords

Conditional Access risk remediation, Azure AD risk remediation settings, Conditional Access remediation configuration, Risk-based conditional access policies, Automated risk remediation Azure AD, Identity Protection risk remediation, Configure risk remediation conditional access, Conditional Access security updates