5.2.2.7 Enable Azure AD Identity Protection sign-in risk policies

Information

Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.

Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the 'legacy method' for the following benefits:

Enhanced diagnostic data

Report-only mode integration

Graph API support

Use more Conditional Access attributes like sign-in frequency in the policy

Rationale:

Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

Impact:

When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.

Solution

To configure a Sign-In risk policy, use the following steps:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection > Conditional Access select Policies.

Create a new policy by selecting New policy.

Set the following conditions within the policy.

Under Users or workload identities choose All users

Under Cloud apps or actions choose All cloud apps

Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium

Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication.

Under Session select Sign-in Frequency and set to Every time.

Click Select

You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.

Click Create.

NOTE: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, 800-53|SI-4(4), CSCv7|16.13

Plugin: microsoft_azure

Control ID: a491ffd434bea447e52a8c941b785448800dcfd5c2d66b725df1320218500e26