Loading controls...
Control: 1.1.8 Enable Azure AD Identity Protection sign-in risk policies
Description
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Remediation
To configure a Sign-In risk policy, use the following steps:
- Log in to
https://admin.microsoft.com
as aGlobal Administrator
. - Go to
Admin centers
and click onAzure Active Directory
. - Select
Azure Active Directory
thenSecurity
. - Select
Conditional Access
. - Create a new policy by selecting
New policy
. - Set the following conditions within the policy.
- Under
Users or workload identities
chooseAll users
. - Under
Cloud apps or actions
chooseAll cloud apps
. - Under
Conditions
chooseSign-in risk
thenYes
in the right pane followed by the appropriate level. - Under
Access Controls
selectGrant
then in the right pane clickGrant access
then selectRequire muilti-factor authentication
.
- Under
- Click
Select
. - You may opt to begin in a state of
Report Only
as you step through implementation however, the policy will need to be set toOn
to be in effect. - Click
Create
.
NOTE: For more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v150_1_1_8 --share
SQL
This control uses a named query:
azuread_signin_risk_policy