ASD's Blueprint for Secure Cloud

Entra ID Protection

This section describes the design decisions associated with Entra ID Protection for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Entra ID Protection is the function of provisioning access rights to a resource. Entra ID Protection can take the form of an access policy. An access policy defines the business rules on whether an authenticated user is granted or denied access to a resource. Entra ID utilises Conditional Access to define the access policies for Microsoft 365 data. Entra ID using Entra ID Protection utilises analytics to further minimise risk that access is provisioned to a compromised authenticated user.

Entra ID Protection enables configuration of automated responses to suspicious activities and actions related to user identities. With Entra ID Protection, risk-based policies can be configured that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other conditional access controls provided by Entra ID, can either automatically block, Smart Lockout, or initiate adaptive remediation actions including password resets and MFA enforcement.

Entra ID Protection uses the following mechanisms to detect anomalous activity within the environment:

  • Vulnerabilities - Entra ID Protection analyses identity configuration and detects vulnerabilities that can have an impact on user identities. Vulnerabilities can include items such as unmanaged cloud applications.
  • Risk Events - Entra ID uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to the user’s identities. The system creates a record for each detected suspicious action. These records are also known as risk events and include activities such as sign-ins from anonymous IP addresses, sign-ins from IP addresses previously detected as exhibiting suspicious activity, or unfamiliar locations.

Entra ID Protection provides mechanisms for logging and reporting functionality that simplify investigation activities.

Smart Lockout

Entra ID Smart Lockout protects Entra ID accounts from brute force attacks such as password guessing by recognising legitimate sign-in attempts from authentications from unknown sources. Smart Lockout is always-on for Entra ID but allows customisation of the number of incorrect attempts and the lockout duration.

Security & Governance




Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra