Control: 1.1.13 Enable Azure AD Identity Protection sign-in risk policies
Description
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Remediation
To configure a Sign-In risk policy, use the following steps:
- Navigate to
Microsoft Entra admin center
https://entra.microsoft.com/. - Browse to
Azure Active Directory
>Protect & secure
>Conditional Access
. - Create a new policy by selecting
New policy
. - Set the following conditions within the policy.
- Under
Users or workload identities
chooseAll users
. - Under
Cloud apps or actions
chooseAll cloud apps
. - Under
Conditions
chooseSign-in risk
then Yes in the right pane followed by the appropriate level. - Under
Access Controls
selectGrant
then in the right pane clickGrant access
then selectRequire muilti-factor authentication
.
- Click
Select
- You may opt to begin in a state of
Report Only
as you step through implementation however, the policy will need to be set toOn
to be in effect. - Click
Create
.
NOTE: For more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v200_1_1_13
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v200_1_1_13 --share
SQL
This control uses a named query:
azuread_signin_risk_policy