Security alerts can be alarming, especially when they suggest someone is trying to take over your Microsoft 365 account. That is exactly what happened to Charles Bell from Hawthorne Bell in London. One day he noticed a phone number had been added to his Microsoft account, and it was not his. This was a clear sign that someone was trying to register their own MFA method on his account. If they succeeded, Charles could have been locked out completely.

The reality is that this is one of the most common techniques hackers use in real-world breaches. They do not need your password for the full takeover; sometimes, a risky sign-in is enough. By default, Microsoft 365 allows risky sign-ins to register new MFA methods, leaving your account vulnerable. Fortunately, there is a solution: a targeted conditional access policy.

Why Conditional Access Matters

When a hacker has your credentials, whether they have been leaked, guessed or phished, they can attempt to sign in to your Microsoft 365 account. If MFA is not fully enforced or if the hacker manages to bypass it, they can add their own MFA method and take control.

This is why conditional access policies are essential. They allow you to block risky users from registering new MFA methods, giving your accounts an extra layer of protection.

Licensing Requirements

To implement this kind of policy, you need Microsoft Entra ID P2. This licence comes with Microsoft 365 E5 or can be added to Microsoft 365 Business Premium. Entra ID P2 includes advanced identity protection that can detect risky users and sign-in attempts using signals such as leaked credentials, impossible travel, suspicious devices and anonymous IP addresses.

Building the Essential Policy

Here is a step-by-step guide to creating a conditional access policy to block MFA hijacks:

1. Open the Microsoft 365 admin centre and go to Entra ID.

2. Navigate to Conditional Access and select create new policy.

3. Give your policy a name, for example, Block MFA Registration for Risky Users.

4. Target all users but exclude your break glass accounts.

5. Under target resources, select user actions and choose Register Security Information.

6. Configure conditions based on user risk. User risk evaluates a user’s identity overall, such as leaked credentials or suspicious behaviour over time, while sign-in risk evaluates specific log-ins, like impossible travel or unusual devices. For this policy, configure it to block users with any risk level.

7. Under access controls, select Block Access.

8. Exclude yourself to avoid locking yourself out and then create the policy.

This policy ensures that any user flagged as risky will be blocked from registering new MFA methods.

Bonus Policy: Block Risky Sign-ins

To strengthen your security further, create a second policy that blocks risky sign-ins entirely:

1. Create a new policy named Block Sign-ins with Sign-in Risk.

2. Target all users, again excluding break glass accounts.

3. Under conditions, select sign-in risk and configure it to block medium and high-risk sign-ins.

4. Under access controls, select Block Access.

Together, these two policies provide layered protection against account takeover. Even if you implement only the first policy, you are already ahead of the curve.

Results

After setting up these policies, Charles tested the system by attempting to sign in from a VPN in Usbakistan. The attempt was blocked, showing that the policies were working as intended. His MFA was now properly protected, and he could safely prepare for his upcoming cricket AGM without worrying about his account being compromised.

Conclusion

MFA hijacks are a serious threat to Microsoft 365 accounts, but they can be mitigated with the right conditional access policies. By blocking risky users from registering MFA methods and stopping risky sign-ins, you create a layered security approach that protects your business from account takeover.

Even if you implement just the first policy, you are already securing your accounts better than most businesses. Layer them together, and you have a robust defence that keeps hackers out and auditors happy.