In this blog post I will go through the process of enabling a user sign-in and user risk policy within Azure Identity Protection located within the Azure Portal.
Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts in the directory.
User risk policy
With the user risk policy turned on, Azure Active Directory detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.
Identity Protection categorises risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, Microsoft say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
User sign-in policy
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication (MFA). Note that if MFA is not enabled for the user, access will be blocked.
Note: to make use of these features every user that benefits or is affected from a feature exclusive to the Azure AD P2 offerings needs a Azure AD P2 licence or a licence including Azure AD P2, for example 365 E5 – Source: Microsoft
- Login to your Azure Portal (portal.azure.com
- Search and click Azure AD Identity Protection
3. Below is a screenshot displaying both user risk policy and sign-in risk policies We’ll start with user risk policy
4. Click user risk policy and below are the parameters available
5. Click all users and below I can apply this policy to all users or target individuals or groups.
I can also exclude users or groups as shown in the screenshot below
Note: exclusions over ride inclusions, so if a user is in two groups, one excluded and the other included, the excluded will policy will take priority.
For the purpose of this demo, I will be leaving the default of all users
6. Next, move onto user risk which assesses the likelihood that the user account is compromised.
7. The below risks (High, Medium and above, low and above) are based on a Microsoft Algorithm. While Microsoft does not provide specific details about how risk is calculated, they say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user. For common questions, visit the following Microsoft article – Common Questions
I’ll be setting the user risk as High so I’m going to be looking for something that has been flagged as a high risk which means there is an account which has highly likely been compromised. Click Done
8. Next, I move onto Access located under Controls
9. Here is where we configure the action if the condition is met. For the purpose of this demo, I will click Allow access but will force the user to change the password. You could also block the user when a high risk is identified. Click done
10. Select On and click save
11. That’s the user risk policy set
Let’s move onto Sign-in Risk Policy
- Click Sign-in risk policy
2. I’ll be leaving the default setting to apply the policy to all users
3. Next I click on Sign-in risk which is based on the likelihood that the sign-in is coming from someone else other than the user.
4. I set this to high and click done
5. Click access located under Controls
6. I click allow but the user will be forced to perform multi-factor authentication, click done
Note: If multi-factor is not configured for the user, the user will be blocked
7. Finally, I turn on the policy and click save
That’s both policies configured
To view risk alerts, click the options located under Report in the menu located towards the left.
Further down the menu, we have notify on users at risk detected alerts and weekly digest. Users in the Global administrator, Security administrator, or Security reader roles are automatically added to this list if that user has a valid email or alternate email configured. Microsoft attempt to send emails to the first 20 members of each role. If a user is enrolled in PIM to elevate to one of these roles on demand then they will only receive emails if they are elevated at the time the email is sent.
By default admins are alerted based on high risk alerts as shown below