Sign-ins detected as high risk SHALL be blocked.

Why This Matters

High risk sign-ins indicate a likely compromised identity or attack in progress, often involving leaked credentials, impossible travel, or anonymous IP addresses. If these sign-ins are not blocked, attackers can persist in the environment, escalate privileges, and exfiltrate data. Administrators must configure Conditional Access to automatically deny these attempts to prevent breach escalation.

What Aether365 Checks

This check verifies that your Identity Protection conditional access policy is configured to block sign-ins detected as high risk. It appears in the Aether365 dashboard under Entra ID (entra-id) checks as part of the CISA baseline.