Control: 1.1.14 Enable Azure AD Identity Protection user risk policies

Description

Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.

With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.

Remediation

To configure a User risk policy, use the following steps:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Azure Active Directory > Protect & secure select Conditional Access.
3. On the Conditional Access page, create a new policy by selecting New policy.
4. Set the following conditions within the policy:

• Under Users or workload identities choose All users.
• Under Cloud apps or actions choose All cloud apps.
• Under Conditions choose User risk then Yes in the right pane followed by the appropriate level.
• Under Access Controls select Grant then in the right pane click Grant access then select Require password change.

5. Click Select.
6. You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
7. Click Create.

NOTE: For more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc.