Exercise enable sign-in risk policy

Completed

Enable user risk policy

  1. Sign in to the Azure portal using a Global administrator account.

  2. Open the portal menu and then select Azure Active Directory.

  3. On the Azure Active Directory blade, under Manage, select Security.

  4. On the Security blade, in the left navigation, select Identity protection.

  5. In the Identity protection blade, in the left navigation, select User risk policy.

    Screen image displaying the User risk policy page and highlighted browsing path

  6. Under Assignments, select All users and review the available options.

    You can select from All users or Select individuals and groups if limiting your rollout.

    Additionally, you can choose to exclude users from the policy.

  7. Under User risk, select Low and above.

  8. In the User risk pane, select High and then select Done.

  9. Under Controls > Access, select Block access.

  10. In the Access pane, review the available options.

Tip

Microsoft's recommendation is to Allow access and Require password change.

  1. Select the Require password change check box and then select Done.

  2. Under Enforce Policy, select On and then select Save.

Enable sign-in risk policy

  1. On the Identity protection blade, in the left navigation, select Sign-in risk policy.

  2. As with the User risk policy, the Sign-in risk policy can be assigned to users and groups and allows you to exclude users from the policy.

  3. Under Sign-in risk, select Medium and above.

  4. In the Sign-in risk pane, select High and then select Done.

  5. Under Controls > Access, select Block access.

  6. Select the Require password change check box and then select Done.

  7. Under Enforce Policy, select On and then select Save.