turbot/microsoft365_compliance

Control: 5.2.2.6 Enable Azure AD Identity Protection user risk policies

Description

Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised.

Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits:

  • Enhanced diagnostic data
  • Report-only mode integration
  • Graph API support
  • Use more Conditional Access attributes like sign-in frequency in the policy

With the user risk policy turned on, Azure AD detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.

Remediation

To configure a User risk policy, use the following steps:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click expand Protection > Conditional Access select Policies.
  3. Create a new policy by selecting New policy.
  4. Set the following conditions within the policy:
    • Under Users or workload identities choose All users.
    • Under Cloud apps or actions choose All cloud apps.
    • Under Conditions choose User risk then Yes and select the user risk level High.
    • Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change.
    • Under Session ensure Sign-in frequency is set to Every time.
  5. Click Select.
  6. You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
  7. Click Create.

Note: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_6 --share

SQL

This control uses a named query:

azuread_user_risk_policy

Tags