Identity Secure Score and Impact

Question

question

NadBen-4857 asked Feb 9, '22 NadBen-4857 commented Feb 16, '22

Identity Secure Score and Impact

Hello,

I'm looking for an answer to which I can't find an answer: On one of my Azure AD tenants, on which I have a single Azure AD Premium P1 license assigned to a single user, the Identity Secure Score does not reflect my configuration.

Indeed, the score on both improvement actions "Turn on sign-in risk policy" and "Turn on user risk policy" are 100%. According to Microsoft documentation, these two features are available with Azure AD Premium P2, with the Identity Protection module.

172559-2022-02-09-18-01-26-security-azure-active-director.png

Moreover, when I go to the Identity Protection configuration, I can't activate the user and sign-in risk policies, the features are grayed out (button "Enforce policy" on "Off").

172598-2022-02-09-18-00-57-identity-protection-azure-acti.png

So why is my tenant getting all the points on these two improvement actions when nothing has been set up?

Thank you in advance for your help.

azure-ad-identity-protection

2022-02-09-18-01-26-security-azure-active-director.png (7.4 KiB)

2022-02-09-18-00-57-identity-protection-azure-acti.png (55.4 KiB)

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT · Feb 15 at 10:19 PM

Thanks for sending the information! There is a similar bug that the product team is working to fix and they are verifying if this might be related to that bug.

0 ·

NadBen-4857 MarileeTurscak-MSFT · Feb 16 at 07:08 AM

Hi @MarileeTurscak-MSFT

Thank you for your feedback.

0 ·

Answer 1 · 2022-02-10T00:11:38.613Z

MarileeTurscak-MSFT answered Feb 10, '22 MarileeTurscak-MSFT edited Feb 10, '22

Hi @NadBen-4857,

Summary of issue:
Just to clarify, you are seeing "Turn on sign-in risk policy" listed as completed, even though you never enabled it for the tenant and only have a Premium P1 license?

I agree that this should not be the case and I have reached out to the product team and showed them your screenshots. Have you ever had a P2 trial license enabled for that tenant or has it always been the P1 license?

You can't activate the sign in risk policy more than once using different log in credentials from different domains. So if someone logged in with a separate credential that has a p2 license and global admin features, they may have been enabled that way. Is it possible that someone else in your tenant may have enabled the sign-in policies if a trial license was enabled at some point? It still doesn't seem like "Enforce policy" would show as "Off" in that case though.

I will keep you posted when I hear back from the Identity Protection team! I'll also reach out to you in a private comment to offer the option to open a support case.

Thanks for your patience.

Marilee

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2022-02-10T07:30:08.337Z

NadBen-4857 answered Feb 10, '22 MarileeTurscak-MSFT commented Feb 15, '22

Hi @MarileeTurscak-MSFT

Yes exactly, I see "Turn on sign-in risk policy" and "Turn on user risk policy" as completed without enabled it on the tenant and I have only Premium P1 license (cf. screenshot).

I've never had a Azure AD Premium P2 license on this tenant, even trial version. Here is all licenses available on this tenant :

Thank you for your help, don't hesitate if you know need more information.

capture10022022-2.png (32.2 KiB)

capture10022022.png (32.8 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question