Cloud Build

Microsoft Azure, 365 and all things Tech

Skip to content
  • About Me
  • Terms
  • Privacy
  • Contact Us

how to enable alerts for high risk logins in azure

Configure user and sign-in risk policies in Azure AD Identity Protection

Posted on March 6, 2021 by Imran Rashid
Reading Time: 5 minutes

In this blog post I will go through the process of enabling a user sign-in and user risk policy within Azure Identity Protection located within the Azure Portal.

Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts in the directory.

User risk policy
With the user risk policy turned on, Azure Active Directory detects the probability that a user account has been compromised. As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.

Identity Protection categorises risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, Microsoft say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.

User sign-in policy
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication (MFA). Note that if MFA is not enabled for the user, access will be blocked.

Note: to make use of these features every user that benefits or is affected from a feature exclusive to the Azure AD P2 offerings needs a Azure AD P2 licence or a licence including Azure AD P2, for example 365 E5 – Source: Microsoft

  1. Login to your Azure Portal (portal.azure.com
  2. Search and click Azure AD Identity Protection

3. Below is a screenshot displaying both user risk policy and sign-in risk policies We’ll start with user risk policy

4. Click user risk policy and below are the parameters available

5. Click all users and below I can apply this policy to all users or target individuals or groups.

I can also exclude users or groups as shown in the screenshot below

Note: exclusions over ride inclusions, so if a user is in two groups, one excluded and the other included, the excluded will policy will take priority.

For the purpose of this demo, I will be leaving the default of all users

6. Next, move onto user risk which assesses the likelihood that the user account is compromised.

7. The below risks (High, Medium and above, low and above) are based on a Microsoft Algorithm. While Microsoft does not provide specific details about how risk is calculated, they say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user. For common questions, visit the following Microsoft article – Common Questions

I’ll be setting the user risk as High so I’m going to be looking for something that has been flagged as a high risk which means there is an account which has highly likely been compromised. Click Done

8. Next, I move onto Access located under Controls

9. Here is where we configure the action if the condition is met. For the purpose of this demo, I will click Allow access but will force the user to change the password. You could also block the user when a high risk is identified. Click done

10. Select On and click save

11. That’s the user risk policy set

Let’s move onto Sign-in Risk Policy

  1. Click Sign-in risk policy

2. I’ll be leaving the default setting to apply the policy to all users

3. Next I click on Sign-in risk which is based on the likelihood that the sign-in is coming from someone else other than the user.

4. I set this to high and click done

5. Click access located under Controls

6. I click allow but the user will be forced to perform multi-factor authentication, click done

Note: If multi-factor is not configured for the user, the user will be blocked

7. Finally, I turn on the policy and click save

That’s both policies configured

To view risk alerts, click the options located under Report in the menu located towards the left.

Further down the menu, we have notify on users at risk detected alerts and weekly digest. Users in the Global administrator, Security administrator, or Security reader roles are automatically added to this list if that user has a valid email or alternate email configured. Microsoft attempt to send emails to the first 20 members of each role. If a user is enrolled in PIM to elevate to one of these roles on demand then they will only receive emails if they are elevated at the time the email is sent.

By default admins are alerted based on high risk alerts as shown below

Posted in Azure
Tagged how many licences are require to use Azure AD Identity Protection how to configure risk policy in azure how to configure signin policies in azure how to enable alerts for high risk logins in azure
Leave a comment

Search

Subscribe

Keep up to date on the latest articles. We will never spam you or forward your details to third parties.

Name

Email


Certifications

  • azure-solutions-architect-expert-600×600
  • azure-security-engineer-associate600x600
  • azure-administrator-associate
  • NCDA-7-Mode_352x352
  • Designing+and+Deploying+Microsoft+Exchange+Server+2016-01
  • Microsoft_Exam533
  • Microsoft_Exam534
  • MCSA-Cloud-Platform-2018
  • azure-solutions-architect-expert-600×600
  • CERT-Associate-Microsoft365-Teams-Administrator
  • MS-100-exam
  • exam-ms100_1-600×600
  • microsoft365-enterprise-adminstrator-expert-600×600
  • microsoft365-messaging-administrator-associate-600×600
  • SCI_Challange_Complete_OpenHack_600X600
  • Microsoft Certified Trainer

Recent Posts

  • Useful Azure Resources June 24, 2022
  • Azure Storage Replication options explained in a diagram June 11, 2022
  • A new chapter, I’m joining Microsoft! February 17, 2022
  • Part 9: Terraform with Azure – Deploy a VNET and Subnet February 16, 2022
  • Part 8: Terraform with Azure – Deploy terraform.tfvars file February 13, 2022
  • Part 7: Terraform with Azure – Deploy a variables file in Terraform February 9, 2022
  • Part 6: Terraform with Azure – Deploy resources in Azure February 6, 2022
  • Part 5: Terraform with Azure – Install Git and initialise repository January 30, 2022
  • Azure Availability Sets and Azure Availability Zones explained November 3, 2021
  • Configure Azure Portal Timeout Limit October 26, 2021
  • Configure Service Health Alerts in Azure September 26, 2021
  • How to Build an Azure Community August 31, 2021
  • Deploy a WordPress website using Azure App Services July 3, 2021
  • Cloud Family Champion and Azure Heroes Award! June 26, 2021
  • How to create a DNS Zone in Azure DNS May 23, 2021
  • Part 4: Terraform with Azure – How to install Azure Terraform Plugin in Visual Studio Code April 10, 2021
  • Part 3: Terraform with Azure – How to Install Visual Studio Code March 20, 2021
  • Part 2: Terraform with Azure – How to install Azure CLI March 14, 2021
  • Implementing Microsoft 365 Data Loss Prevention (DLP) March 13, 2021
  • HDD performance running at 100% March 7, 2021
  • Twitter

Cloud Build

© All rights reserved.

Powered by WordPress

Subscribe to new posts

Name

Email


Recent Posts

  • Useful Azure Resources
  • Azure Storage Replication options explained in a diagram
  • A new chapter, I’m joining Microsoft!

Cloud Build

  • About Me
  • Contact Us
  • Privacy
  • Terms

Subscribe

Subscribe to new tech posts.
We will never send you spam email or forward your details to third parties.


Name

Email


This will close in 0 seconds

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

SAVE & ACCEPT
error: Content is protected !!