Microsoft Entra ID Protection (formerly Identity Protection) identifies risky users in Entra ID and requires Microsoft Entra ID P2 licenses to operate. As explained in the Microsoft documentation on risk detections, there are two types of risk detections:
A user may be considered at risk when:
There are three risk levels:
Use Conditional Access Policies to enforce security measures when the system identifies a user at risk.
If you choose to follow the CISA guidance, this IoE verifies that at least one Conditional Access Policy includes the following settings:
Instead, if you choose to follow Microsoft's recommendation, this IoE ensures that at least one Conditional Access Policy includes the following settings:
An enabled Conditional Access Policy (CAP) must exist for the tenant to protect it from all users identified as high-risk.
Tenable recommends blocking only the high-risk level users to minimize business disruption. CISA and Microsoft have differing opinions on how to prevent this risk:
Tenable recommends following the CISA guidance as it is the safest approach. However, since it is also the most restrictive, you can easily switch to the Microsoft recommendation using the provided option in the IoE.
To do so, you can create a CAP in the following ways:
If you follow the Microsoft recommendation instead of the CISA guidance, you can also use the "Require password change for high-risk users" CAP template from Microsoft. This template meets all the criteria outlined in this IoE when you enable the option to follow the Microsoft recommendation.
Note: Both Microsoft and Tenable recommend that you exclude certain accounts from Conditional Access policies to prevent tenant-wide account lockout and undesired side effects. Tenable also recommends that you follow the Microsoft documentation "Plan a Conditional Access deployment" to ensure proper planning and change management, as well as mitigate the risk of locking yourself out.
Configuring a CAP is essential to prevent a compromise, but it doesn't replace a forensic investigation into the reported risk. If you're interested in learning more, Microsoft provides an investigation guide.
Name: Risky Users Without Enforcement
Codename: RISKY-USERS-WITHOUT-ENFORCEMENT
Severity: Medium
Type: Microsoft Entra ID Indicator of Exposure