How To: Configure and enable risk policies

As we learned in the previous article, Identity Protection policies we have two risk policies that we can enable in our directory.

  • Sign-in risk policy
  • User risk policy

Security overview page to enable user and sign-in risk policies

Both policies work to automate the response to risk detections in your environment and allow users to self-remediate when risk is detected.

Choosing acceptable risk levels

Organizations must decide the level of risk they're willing to accept balancing user experience and security posture.

Microsoft's recommendation is to set the user risk policy threshold to High and the sign-in risk policy to Medium and above and allow self-remediation options. Choosing to block access rather than allowing self-remediation options, like password change and multi-factor authentication, will impact your users and administrators. Weigh this choice when configuring your policies.

Choosing a High threshold reduces the number of times a policy is triggered and minimizes the impact to users. However, it excludes Low and Medium risk detections from the policy, which may not block an attacker from exploiting a compromised identity. Selecting a Low threshold introduces more user interrupts.

Configured trusted network locations are used by Identity Protection in some risk detections to reduce false positives.

Risk remediation

Organizations can choose to block access when risk is detected. Blocking sometimes stops legitimate users from doing what they need to. A better solution is to allow self-remediation using Azure AD Multi-Factor Authentication (MFA) and self-service password reset (SSPR).

  • When a user risk policy triggers:
    • Administrators can require a secure password reset, requiring Azure AD MFA be done before the user creates a new password with SSPR, resetting the user risk.
  • When a sign in risk policy triggers:
    • Azure AD MFA can be triggered, allowing to user to prove it's them by using one of their registered authentication methods, resetting the sign in risk.

Warning

Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.

Password change (I know my password and want to change it to something new) outside of the risky user policy remediation flow does not meet the requirement for secure password reset.

Exclusions

Policies allow for excluding users such as your emergency access or break-glass administrator accounts. Organizations may need to exclude other accounts from specific policies based on the way the accounts are used. Exclusions should be reviewed regularly to see if they're still applicable.

Enable policies

There are two locations where these policies may be configured, Conditional Access and Identity Protection. Configuration using Conditional Access policies is the preferred method, providing more context including:

  • Enhanced diagnostic data
  • Report-only mode integration
  • Graph API support
  • Use more Conditional Access attributes in policy

User risk with Conditional Access

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users and groups.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  6. Under Cloud apps or actions > Include, select All cloud apps.
  7. Under Conditions > User risk, set Configure to Yes. Under Configure user risk levels needed for policy to be enforced select High, then select Done.
  8. Under Access controls > Grant, select Grant access, Require password change, and select Select.
  9. Confirm your settings, and set Enable policy to On.
  10. Select Create to create to enable your policy.

Sign in risk with Conditional Access

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users and groups.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  6. Under Cloud apps or actions > Include, select All cloud apps.
  7. Under Conditions > Sign-in risk, set Configure to Yes. Under Select the sign-in risk level this policy will apply to
    1. Select High and Medium.
    2. Select Done.
  8. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
  9. Confirm your settings and set Enable policy to On.
  10. Select Create to create to enable your policy.

Next steps