Overview β¨
This article explains the Liongard alert βMicrosoft 365 | Exposure To Suspicious Sign-Insβ, which triggers when a Sign-in Risk Policy is missing or misconfigured in Microsoft Entra ID (formerly Azure AD).
A Sign-in Risk Policy is essential in defending against identity-based attacks such as password spraying, credential stuffing, or the use of compromised credentials. Microsoft continuously analyzes signals (like unfamiliar sign-in locations, anonymous IP addresses, or impossible travel events) to assign a sign-in risk score. When properly configured, this policy automatically challenges or blocks suspicious sign-ins.
Liongard surfaces this alert by referencing Microsoft Secure Score, specifically the control named SigninRiskPolicy. If the Sign-in Risk Conditional Access Policy is missing, disabled, or only partially applied, attackers may be able to log in despite clear signs of compromise β leaving your organization exposed to unauthorized access.
Sample Alert :
Why Does This Happen? π€
This alert is triggered when Microsoft Secure Score detects that the SigninRiskPolicy control is not fully implemented. Common scenarios include:
No Conditional Access policy exists to act on sign-in risk.
A policy exists but is not assigned to all users.
The policy is present but disabled or misconfigured.
The scope of coverage does not meet Secure Score expectations.
Liongard detects this condition using the following metric logic:
SecureScores.controlScores[?controlName == `SigninRiskPolicy`].subtract(to_number(total), to_number(count)) | [0]
How the metric works:
SecureScores.controlScoresβ Dataset of Secure Score controls.controlName == 'SigninRiskPolicy'β Filters to the Sign-in Risk Policy control.totalβ Total number of users expected to be covered.countβ Users actually covered.subtract(total, count)β Number of users left exposed.
If this value is greater than 0, Liongard raises the alert. Even one uncovered user triggers it, since Secure Score requires full coverage.
Steps to Resolve π§
Option 1: Use Microsoft Entra Admin Center
Log in to Microsoft Entra Admin Center.
Navigate:
βID Protection > Conditional Access > PoliciesLocate your policy related to Sign-in Risk
Check Assignments
Go to Assignments > Users
Verify if All users is selected.
If only specific users/groups are included, check carefully.
Review the Exclude section
Manually Verify Groups
If groups are assigned, open each group.
Confirm all intended users are members.
Compare Coverage
Export the group members (from the policy assignments).
Export all Active Users from Entra.
Compare the two lists to identify missing users.
Option 2: Review and Resolve on Microsoft 365 Security Center
Log in to Microsoft 365 Security Center.
Select "Recommended actions" tab on dashboard.
Select "Enable Microsoft Entra ID Identity Protection sign-in risk policies"
Review the Information available to get additional insights on current scope of the policy like Implementation status and User impact.
Incase if some accounts are intentionally excluded from the policy due to any reasons, you can clear this secure score review by selecting the "Edit status & action plan" tab on the same page and select the reason as per your convince from following option :
Resolved through third party
Resolved through alternate mitigation
β
Contact Support πββοΈ
Still seeing alerts after confirming the policy covers everyone?
Reach out to our support team with the following:
Complete page screenshot of the alert reflecting the title and changes it detected.
Screenshot of the Actionable Alert rule configuration page:
Go to Admin > Actionable Alerts > Rules
Locate the same Actionable Alert mentioned
Click on the Clone button (two squares icon)
Take a screenshot of the whole page in 2 parts
Screenshot of your Conditional Access policy assignments
Your current Secure Score details from Microsoft 365 Security Center
We're here to help troubleshoot further and are happy to assist in any way possible.