Control: 5.2.2.7 Enable Azure AD Identity Protection sign-in risk policies

Description

Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.

Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits:

• Enhanced diagnostic data
• Report-only mode integration
• Graph API support
• Use more Conditional Access attributes like sign-in frequency in the policy

Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

Remediation

To configure a Sign-In risk policy, use the following steps:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
2. Click expand Protection > Conditional Access select Policies.
3. Create a new policy by selecting New policy.
4. Set the following conditions within the policy.

• Under Users or workload identities choose All users.
• Under Cloud apps or actions choose All cloud apps.
• Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium.
• Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication.
• Under Session select Sign-in Frequency and set to Every time.

5. Click Select.
6. You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
7. Click Create.

Note: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc