network technician/administrator/manager blog
User Risk Policy using Conditional Access Policies in Azure AD
User Risk Policy using Conditional Access Policies in Azure AD

User Risk Policy using Conditional Access Policies in Azure AD

In another post MFA deployment using Conditional Access Policies in Azure AD i created a conditional access policy for MFA, i briefly discussed one of the condition options available around User risk (preview) and Sign-in risk. In this post i will show you how i created a policy to deal with when Azure AD detects a “User risk” identified by Azures Identity Protection.

To take advantage of Identity Protection you will require all the users to have an Azure AD Premium P2 licence assigned – https://azure.microsoft.com/en-gb/pricing/details/active-directory/

In this post i will go though setting up a Risk policy, that once a user has been identifies as a risk, or performs a risky sign-in this policy will force said user to reset there password.

USER RISK POLICY

First as this policy relies on licencing of the users select a security group that has all the users you need protecting, in this instance i have an already existing “All Staff” security group.

For this particular polity it will only work if All cloud apps is selected, in fact it will only let you enable the other functions if you have this ticket.

Identity Protection categorises risk into three tiers: low, medium, and high.While Microsoft does not specifically provide details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.

Based on this and Microsoft’s own advice for setting the level for User risk i would also recommend setting this to High, as setting it to Medium or even low would have significant impact on users, certainly ones who perhaps travel around a lot or don’t necessarily use the same device day to day.

Now we have our policy assignments setup and when it would be triggered, we need to set out what will happen when it does activate on a high confidence Risky sign-in.

Under Grant you will need to select Require password change (Preview), this will automatically select Require multi-factor authentication and grey our other options not available.

Thats it, once enabled, all the users the policy was assigned to, as soon as AIP (Azure Identity Protection) identifies a user risk at a High probability it will require the user to change password right away.