Control: 1.1.8 Enable Azure AD Identity Protection sign-in risk policies

Description

Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.

Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

Remediation

To configure a Sign-In risk policy, use the following steps:

1. Log in to https://admin.microsoft.com as a Global Administrator.
2. Go to Admin centers and click on Azure Active Directory.
3. Select Azure Active Directory then Security.
4. Select Conditional Access.
5. Create a new policy by selecting New policy.
6. Set the following conditions within the policy.
   • Under Users or workload identities choose All users.
   • Under Cloud apps or actions choose All cloud apps.
   • Under Conditions choose Sign-in risk then Yes in the right pane followed by the appropriate level.
   • Under Access Controls select Grant then in the right pane click Grant access then select Require muilti-factor authentication.
7. Click Select.
8. You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
9. Click Create.

NOTE: For more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc.