Control: 1.1.13 Enable Azure AD Identity Protection sign-in risk policies
Description
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Remediation
To configure a Sign-In risk policy, use the following steps:
- Navigate to
Microsoft Entra admin center
https://entra.microsoft.com/. - Browse to
Azure Active Directory
>Protect & secure
>Conditional Access
. - Create a new policy by selecting
New policy
. - Set the following conditions within the policy.
- Under
Users or workload identities
chooseAll users
. - Under
Cloud apps or actions
chooseAll cloud apps
. - Under
Conditions
chooseSign-in risk
then Yes in the right pane followed by the appropriate level. - Under
Access Controls
selectGrant
then in the right pane clickGrant access
then selectRequire muilti-factor authentication
.
- Click
Select
- You may opt to begin in a state of
Report Only
as you step through implementation however, the policy will need to be set toOn
to be in effect. - Click
Create
.
NOTE: For more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v200_1_1_13
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v200_1_1_13 --share
SQL
This control uses a named query:
with block_legacy_authentication as ( select tenant_id, count(*) from azuread_conditional_access_policy where users->'includeUsers' ?& array['All'] and jsonb_array_length(users -> 'excludeUsers') = 0 and jsonb_array_length(sign_in_risk_levels) != 0 and applications->'includeApplications' ?& array['All'] and jsonb_array_length(applications -> 'excludeApplications') = 0 and built_in_controls ?& array['mfa'] group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user)select t.tenant_id as resource, case when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has sign-in risk policies enabled.' else t.tenant_id || ' has sign-in risk policies disabled.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;