🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
4Dashboards
80Benchmarks
21Queries
2Variables
GitHub

Control: 1.1.9 Enable Azure AD Identity Protection user risk policies

Description

Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.

With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.

Remediation

To configure a User risk policy, use the following steps:

  1. Log in to https://admin.microsoft.com as a Global Administrator.
  2. Go to Admin centers and click on Azure Active Directory.
  3. Select Azure Active Directory then Security.
  4. Select Conditional Access.
  5. Create a new policy by selecting New policy.
  6. Set the following conditions within the policy.
    • Under Users or workload identities choose All users.
    • Under Cloud apps or actions choose All cloud apps.
    • Under Conditions choose User risk then Yes in the right pane followed by the appropriate level.
    • Under Access Controls select Grant then in the right pane click Grant access then select Require password change.
  7. Click Select.
  8. You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
  9. Click Create.

NOTE: For more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v140_1_1_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_9 --share

SQL

This control uses a named query:

with block_legacy_authentication as (
  select
    tenant_id,
    count(*)
  from
    azuread_conditional_access_policy
  where
    users->'includeUsers' ?& array['All']
    and jsonb_array_length(users -> 'excludeUsers') = 0
    and jsonb_array_length(user_risk_levels) != 0
    and applications->'includeApplications' ?& array['All']
    and jsonb_array_length(applications -> 'excludeApplications') = 0
    and built_in_controls ?& array['passwordChange']
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has user risk policies enabled.'
    else t.tenant_id || ' has user risk policies disabled.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t;

Tags

category = Compliance
cis = true
cis_item_id = 1.1.9
cis_level = 2
cis_section_id = 1.1
cis_type = manual
cis_version = v1.4.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory