Control: 5.2.2.6 Enable Azure AD Identity Protection user risk policies

Description

Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.

Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits:

• Enhanced diagnostic data
• Report-only mode integration
• Graph API support
• Use more Conditional Access attributes like sign-in frequency in the policy

With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.

Remediation

To configure a User risk policy, use the following steps:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
2. Click expand Protection > Conditional Access select Policies.
3. Create a new policy by selecting New policy.
4. Set the following conditions within the policy:
   • Under Users or workload identities choose All users.
   • Under Cloud apps or actions choose All cloud apps.
   • Under Conditions choose User risk then Yes and select the user risk level High.
   • Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change.
   • Under Session ensure Sign-in frequency is set to Every time.
5. Click Select.
6. You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
7. Click Create.

Note: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc