NOTE: This advisory is based on our evidence from the f11.ca lab experiment (EID-EXP-007 ), in which we reproduced the issue.
For engineers asking how this works technically.
As an MSP owner, I have reviewed numerous Microsoft 365 environments for SMBs.
A recurring pattern has emerged:
Risk detection is enabled
Microsoft flags suspicious sign-ins
But access is still allowed.
This gap often leads to security breaches.
Today, I will explain in business terms why blocking high sign-in risk in Microsoft Entra is among the most cost-effective security controls an SMB can implement.
What Is a “High-Risk Sign-in”?
When Microsoft Entra flags a sign-in as high risk, it indicates the system has strong confidence that the attempt is malicious.Examples include:
- Password spray attempts
- Sign-ins from known malicious IP ranges
- Anonymous network access (TOR/VPN abuse)
- Suspicious token replay behavior
This is not a possibility. This is Microsoft saying:
“This looks like an active attack.”
If access is still permitted at this stage, you are relying on chance.
The Business Risk of Allowing High-Risk Sign-ins
For SMBs, account compromise involves more than a password reset.
It can lead to:
Wire fraud & payment redirection
Compromised email accounts are frequently used for invoice fraud. A single successful attack can result in losses ranging from $25,000 to over $250,000.
Ransomware staging
Attackers often use compromised identities to:
- Access SharePoint/OneDrive
- Enumerate permissions
- Escalate privileges
Identity compromise is often the initial step before data encryption.
Data exposure & compliance issues
If client data is exposed:
- You face reputational damage.
- You risk contractual penalties.
- You may trigger regulatory reporting requirements.
For industries such as legal, financial, and healthcare, the impact is even greater.
The Cost Comparison (Reality) Consider the following two scenarios:
No enforcement
- Identity compromise
- Incident response engagement ($5,000–$20,000)
- Business downtime
- Reputation damage
- Insurance involvement
Total impact is often in the six-figure range.
Enforced High-Risk Blocking
- Configure Conditional Access
- Exclude emergency accounts
- Monitor sign-in logs
- Minor implementation time
Total cost: A few hours of engineering. The return on investment is clear.
Why Many SMB Tenants Don’t Block It
In my experience, this occurs for several reasons:
- The tenant was set up years ago without risk-based policies.
- IT teams are afraid of lockouts.
- Policies are left in “report-only” mode.
- There’s confusion between “User risk” and “Sign-in risk.”
- No structured security baseline was implemented.
This does not indicate negligence.
It is typically the result of configuration drift.
What We Recommend as an MSP
For SMB environments, we recommend:✔ Block High sign-in risk
✔ Require MFA for medium risk
✔ Exclude break-glass emergency accounts
✔ Apply to all cloud apps
✔ Monitor sign-in logs monthly. This approach aligns with Zero Trust principles and significantly reduces the risk of account takeover.
Why This Matters More for SMBs Than Enterprise
Large enterprises:
- Have SOC teams
- Have identity engineers
- Have advanced monitoring
SMBs often:
- Have lean IT
- Depend heavily on Microsoft 365
- Cannot absorb extended downtime
This makes preventative controls even more essential.
The Strategic View: Identity Is the New Perimeter
Firewalls no longer protect Microsoft 365.Identity does. If an attacker signs in successfully, they are considered inside the environment, regardless of their physical location. Blocking high-risk sign-ins is one of the most effective ways to strengthen your identity perimeter.
Final Thoughts
Security doesn’t have to be complicated to be effective. Blocking high-confidence malicious sign-ins is:
- Low effort
- High impact
- Low disruption
- High ROI.
- For most SMBs, implementing this single control can eliminate an entire category of preventable compromises.
If you are unsure whether your tenant enforces this policy, it is advisable to review it promptly.
Once an attacker gains access, it is no longer a configuration issue; it becomes a security incident.