Detections
Analytics

Risky Users Without Enforcement

MEDIUM

Language:

Description

Microsoft Entra ID Protection (formerly Identity Protection) identifies risky users in Entra ID and requires Microsoft Entra ID P2 licenses to operate. As explained in the Microsoft documentation on risk detections, there are two types of risk detections:

  • Sign-in risk detections, addressed in the dedicated IoE "MFA Not Required for Risky Sign-ins"
  • User risk detections

A user may be considered at risk when:

There are three risk levels:

  • High
  • Medium
  • Low

Use Conditional Access Policies to enforce security measures when the system identifies a user at risk.

The MS.AAD.2.1v1 policy from the CISA "M365 Secure Configuration Baseline for Microsoft Entra ID", mandated by BOD 25-01, requires that "Users detected as high risk SHALL be blocked". Following CISA guidance, this IoE ensures at least one Conditional Access Policy includes the following settings:

Instead, if you choose to follow Microsoft's recommendation, this IoE ensures that at least one Conditional Access Policy includes the following settings:

  • "Users" set to include "All users".
  • "Target resources" set to "All resources".
  • "Conditions > User risk"" set to "Yes" and selecting "High" risk level.
  • "Grant" set to "Require password change".
  • "Enable policy" set to "On" (not "Off" or "Report-only").

Solution

An enabled Conditional Access Policy (CAP) must exist for the tenant to protect it from all users identified as high-risk.

Tenable recommends blocking only the high-risk level users to minimize business disruption. CISA and Microsoft have differing opinions on how to prevent this risk:

  • The MS.AAD.2.1v1 policy from the CISA "M365 Secure Configuration Baseline for Microsoft Entra ID", mandated by BOD 25-01, recommends blocking risky users entirely.
  • In contrast, Microsoft recommends triggering self-remediation by requiring a password change.

Tenable recommends following the CISA guidance as it is the safest approach. However, since it is also the most restrictive, you can easily switch to the Microsoft recommendation using the provided option in the IoE.

To do so, you can create a CAP in the following ways:

  • Modify an existing CAP by applying the settings specified in this IoE's description.
  • Create a dedicated CAP and configure it according to the specifications in the IoE's description.

If you follow the Microsoft recommendation instead of the CISA guidance, you can also use the "Require password change for high-risk users" CAP template from Microsoft. This template meets all the criteria outlined in this IoE when you enable the option to follow the Microsoft recommendation.

Note: Both Microsoft and Tenable recommend that you exclude certain accounts from Conditional Access policies to prevent tenant-wide account lockout and undesired side effects. Tenable also recommends that you follow the Microsoft documentation "Plan a Conditional Access deployment" to ensure proper planning and change management, as well as mitigate the risk of locking yourself out. In particular, if you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Cloud Sync, you must exclude their service account from the policy because it cannot comply with the Conditional Access policy. Use the "Exclude users" action and either exclude the service account(s) directly, or check the "Directory roles" option and select the "Directory Synchronization Accounts" role.

Configuring a CAP is essential to prevent a compromise, but it doesn't replace a forensic investigation into the reported risk. If you're interested in learning more, Microsoft provides an investigation guide.

Indicator Details

Name: Risky Users Without Enforcement

Codename: RISKY-USERS-WITHOUT-ENFORCEMENT

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure

MITRE ATT&CK Information: