After you enable User Risk Score authentication in Workspace ONE Access, you must set up the access policy rules to use this authentication method.

This example shows an access policy that is configured with the following access flow.

  • Users with a low risk score and a compliant iOS device can access the apps without entering additional credentials.
  • Users with a medium risk score and a compliant iOS device must use a second authentication method before accessing the app.
  • Users with high risk-scores and a compliant iOS device are denied access to the apps.

User Risk Score authentication can be applied to any policy rule, but User Risk Score cannot be the first authentication method listed in the policy rule.


For this example, the following authentication methods are enabled.
  • Mobile SSO ( for iOS)
  • Device Compliance
  • User Risk Score with the action type set up as follows.
    • Low set to Allow Access
    • Medium set to Step-up Authentication
    • High set to Deny Access


  1. In the Workspace ONE Access console Resources > Policies page. click ADD POLICY to create a new policy named Restricted Resources.
  2. In the Applies To section, add the secure apps to associate with this policy. For example, Company Restricted App 1, Company Restricted App 2, Company Restricted App 3.
  3. Policy rule is configured as follows.
    Option Description
    If a user's network range is ALL RANGES
    and user accessing content from iOS
    and user belongs to groups No group is selected. The access policy rule applies to all users.
    Then perform this action Authenticate using....
    then the user may authenticate using Mobile SSO (for iOS).

    Device Compliance (with AirWatch)

    User Risk Score

    If the preceding methods fails or is not applicable, then Configured multi-factor authentication.

    Mobile SSO (for iOS)

    Device Compliance (with AirWatch)

    Authenticator App (TOTP)

    Note: You must add the same authentication methods in the fallback list as listed before User Risk Score in the first authenticate using... configuration.
    Re-authenticate after 8 hours


For more information about creating access policy rules, see Managing Access Policies in the Workspace ONE Access Service.