Detections
Analytics
5.2.2.6 Enable Azure AD Identity Protection user risk policies
Information
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the 'legacy method' for the following benefits:
Enhanced diagnostic data
Report-only mode integration
Graph API support
Use more Conditional Access attributes like sign-in frequency in the policy
Rationale:
With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.
Impact:
Upon policy activation, account access will be either blocked or the user will be required to use multi-factor authentication (MFA) and change their password. Users without registered MFA will be denied access, necessitating an admin to recover the account. To avoid inconvenience, it is advised to configure the MFA registration policy for all users under the User Risk policy.
Additionally, users identified in the Risky Users section will be affected by this policy. To gain a better understanding of the impact on the organization's environment, the list of Risky Users should be reviewed before enforcing the policy.
Solution
To configure a User risk policy, use the following steps:Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
Click expand Protection > Conditional Access select Policies.
Create a new policy by selecting New policy.
Set the following conditions within the policy:
Under Users or workload identities choose All users
Under Cloud apps or actions choose All cloud apps
Under Conditions choose User risk then Yes and select the user risk level High.
Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change.
Under Session ensure Sign-in frequency is set to Every time.
Click Select.
You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
Click Create.
NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E5 L2 v3.0.0
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-4, 800-53|SI-4(4), CSCv7|16.13
Plugin: microsoft_azure
Control ID: 11e3cd0beadbe36083e78f371ab422d7ac1cbef94f5d72723bfb2ead11331062