1.1.9 Enable Azure AD Identity Protection user risk policies

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.

Rationale:

With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.

Impact:

When the policy triggers, access to the account will either be blocked or the user would be required to use multi-factor authentication and change their password. Users who haven't registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy.

Solution

To configure a User risk policy, use the following steps:

Log in to https://admin.microsoft.com as a Global Administrator.

Go to Admin centers and click on Azure Active Directory.

Select Azure Active Directory then Security.

Select Conditional Access.

Create a new policy by selecting New policy.

Set the following conditions within the policy.

Under Users or workload identities choose All users

Under Cloud apps or actions choose All cloud apps

Under Conditions choose User risk then Yes in the right pane followed by the appropriate level.

Under Access Controls select Grant then in the right pane click Grant access then select Require password change.

Click Select

You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.

Click Create.

NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc

See Also

https://workbench.cisecurity.org/files/4073