deplicate conditional access baseline policies


I want to test the End user protection CA policy but I don't want to enable it for all users yet. Is it possible to recreate that baseline but allowing me to limit what users/groups it applies to?

I like that it ties into risky signin and leaked creds, but don't see those options when I create my own policy.


3 Replies

It's possible. The whole idea behind the baseline policies is to offer a pre-configured policy with relaxed license requirements. If you already have AAD/EMS licenses in your tenant you can create similar policies yourself, with better customizability. In particular, the "user risk" condition can be found under the Conditions group -> Sign-in risk.

@Vasil MichevMy conditions options are only 

device platform


client apps

device state


I have a E5 with EMS E3. I think that includes AAD P1


Is EMS E5 or AAD P2 required to use the sign-in risk?



best response confirmed by Jason Benway (Contributor)

Yup, you need AAD P2/EMS E5.