Control: 5.2.2.7 Enable Azure AD Identity Protection sign-in risk policies
Description
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits:
- Enhanced diagnostic data
- Report-only mode integration
- Graph API support
- Use more Conditional Access attributes like sign-in frequency in the policy
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Remediation
To configure a Sign-In risk policy, use the following steps:
- Navigate to the
Microsoft Entra admin center
https://entra.microsoft.com. - Click expand
Protection
>Conditional Access
selectPolicies.
- Create a new policy by selecting
New policy.
- Set the following conditions within the policy.
- Under
Users or workload identities
chooseAll users.
- Under
Cloud apps or actions
chooseAll cloud apps.
- Under
Conditions
chooseSign-in risk
thenYes
and check the risk level boxesHigh
andMedium.
- Under
Access Controls
selectGrant
then in the right pane clickGrant access
then selectRequire multifactor authentication.
- Under
Session
selectSign-in Frequency
and set toEvery time.
- Click
Select.
- You may opt to begin in a state of
Report Only
as you step through implementation however, the policy will need to be set toOn
to be in effect. - Click
Create.
Note: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_7 --share
SQL
This control uses a named query:
azuread_signin_risk_policy