1.1.8 Enable Azure AD Identity Protection sign-in risk policies

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.

Rationale:

Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

Impact:

When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.

Solution

To configure a Sign-In risk policy, use the following steps:

Log in to https://admin.microsoft.com as a Global Administrator.

Go to Admin centers and click on Azure Active Directory.

Select Azure Active Directory then Security.

Select Conditional Access.

Create a new policy by selecting New policy.

Set the following conditions within the policy.

Under Users or workload identities choose All users

Under Cloud apps or actions choose All cloud apps

Under Conditions choose Sign-in risk then Yes in the right pane followed by the appropriate level.

Under Access Controls select Grant then in the right pane click Grant access then select Require muilti-factor authentication.

Click Select

You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.

Click Create.

NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc

See Also

https://workbench.cisecurity.org/files/3729