Risky Users Without Enforcement

Microsoft Entra ID Protection (formerly Identity Protection) identifies risky users in Entra ID and requires Microsoft Entra ID P2 licenses to operate. As explained in the Microsoft documentation on risk detections, there are two types of risk detections:

• Sign-in risk detections, addressed in the dedicated IoE "MFA Not Required for Risky Sign-ins"
• User risk detections

A user may be considered at risk when:

• They have one or more risky sign-ins.
• They have one or more risks detected on their account, such as Leaked credentials or Anomalous user activity.

There are three risk levels:

• High
• Medium
• Low

Use Conditional Access Policies to enforce security measures when the system identifies a user at risk.

If you choose to follow the CISA guidance, this IoE verifies that at least one Conditional Access Policy includes the following settings:

• "Users" set to include "All users".
• "Target resources" set to "All resources".
• "Conditions > User risk" set to "Yes", selecting "High" risk level.
• "Grant" set to "Block access".
• "Enable policy" set to "On" (not "Off" or "Report-only").

Instead, if you choose to follow Microsoft's recommendation, this IoE ensures that at least one Conditional Access Policy includes the following settings:

• "Users" set to include "All users".
• "Target resources" set to "All resources".
• "Conditions > User risk"" set to "Yes" and selecting "High" risk level.
• "Grant" set to "Require password change".
• "Enable policy" set to "On" (not "Off" or "Report-only").

An enabled Conditional Access Policy (CAP) must exist for the tenant to protect it from all users identified as high-risk.

Tenable recommends blocking only the high-risk level users to minimize business disruption. CISA and Microsoft have differing opinions on how to prevent this risk:

• The CISA "M365 Secure Configuration Baseline for Microsoft Entra ID" recommends blocking risky users entirely.
• In contrast, Microsoft recommends triggering self-remediation by requiring a password change.

Tenable recommends following the CISA guidance as it is the safest approach. However, since it is also the most restrictive, you can easily switch to the Microsoft recommendation using the provided option in the IoE.

To do so, you can create a CAP in the following ways:

• Modify an existing CAP by applying the settings specified in this IoE's description.
• Create a dedicated CAP and configure it according to the specifications in the IoE's description.

If you follow the Microsoft recommendation instead of the CISA guidance, you can also use the "Require password change for high-risk users" CAP template from Microsoft. This template meets all the criteria outlined in this IoE when you enable the option to follow the Microsoft recommendation.

Note: Both Microsoft and Tenable recommend that you exclude certain accounts from Conditional Access policies to prevent tenant-wide account lockout and undesired side effects. Tenable also recommends that you follow the Microsoft documentation "Plan a Conditional Access deployment" to ensure proper planning and change management, as well as mitigate the risk of locking yourself out.

Configuring a CAP is essential to prevent a compromise, but it doesn't replace a forensic investigation into the reported risk. If you're interested in learning more, Microsoft provides an investigation guide.

Name: Risky Users Without Enforcement

Codename: RISKY-USERS-WITHOUT-ENFORCEMENT

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure