5.2.2.6 Enable Azure AD Identity Protection user risk policies

Information

Microsoft Entra ID Protection user risk policies detect the probability that a user account has been compromised.

Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the 'legacy method' for the following benefits:

Enhanced diagnostic data

Report-only mode integration

Graph API support

Use more Conditional Access attributes like sign-in frequency in the policy

Rationale:

With the user risk policy turned on, Entra ID protection detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.

Impact:

Upon policy activation, account access will be either blocked or the user will be required to use multi-factor authentication (MFA) and change their password. Users without registered MFA will be denied access, necessitating an admin to recover the account. To avoid inconvenience, it is advised to configure the MFA registration policy for all users under the User Risk policy.

Additionally, users identified in the Risky Users section will be affected by this policy. To gain a better understanding of the impact on the organization's environment, the list of Risky Users should be reviewed before enforcing the policy.

Solution

To configure a User risk policy, use the following steps:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection > Conditional Access select Policies.

Create a new policy by selecting New policy.

Set the following conditions within the policy:

Under Users or workload identities choose All users

Under Cloud apps or actions choose All cloud apps

Under Conditions choose User risk then Yes and select the user risk level High.

Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change.

Under Session ensure Sign-in frequency is set to Every time.

Click Select.

You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.

Click Create.

NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, 800-53|SI-4(4), CSCv7|16.13

Plugin: microsoft_azure

Control ID: 324ba16cec54a96b9d14f55589ad0fe36e0eea2492915fb7acf3f0c6c5f7b691