Join Pete Zerger for an in-depth discussion in this video Configure risk levels and policies, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Azure Active Directory identity protection detects risk event types in real time, and offline, and you can customize behavior based on your tolerance for risk. Each risk event that's been detected for a sign in of a user contributes to a logical concept called a risky sign in. A risky sign in is an indicator for a sign in attempt that might not have been performed by the legitimate owner of an Azure Active Directory account. Let's sign in to the Azure portal, at portal.azure.com, and configure risk policies.
So I'll put in my email address, my UPN, and you'll notice I'm directed to the KinetEco sign in page, And in the Azure portal, you'll see that I have Azure AD identity protection both pinned to my navigation bar, and to my dashboard here, you can find that under more services and search here directly, should you find you don't have that already pinned for your use. So here I have my Azure AD identity protection dashboard, and I'll scroll down and begin with multifactor authentication, we do want to make sure all our users are registered for multifactor auth.
You'll notice here, under assignments, I can select all users, or I can roll this out to specific users or groups of users, it's a great idea to roll new features out in a phased manner to test these so you have a good understanding of how the feature impacts your user experience. Now under select users, you'll notice here, that it shows me a list of users, but I can also type the name of groups, for example the High Risk Sign-in Policy group in my environment, so it's a bit of a misnomer, in that respect.
I'll select that, and select done, and so now I have the scope of this policy in terms of the users that it will impact. Under controls, you'll notice here, I'm requiring Azure MFA registration, and I can review here the current registration count, so you'll find that this dashboard is a few minutes to a few hours behind your current state, based on your recent configurations. And then I set my enforce policy option to on, if I set this to off, then the policy simply doesn't apply, it's there and waiting for us for some future date.
So now, the next time my users log in, they will be prompted to complete registration for multifactor authentication. Now a mitigation is an action to limit the ability of attacker to exploit a compromised identity or a device, without restoring the identity or device to a safe state. This doesn't resolve previous sign in risk events in your environment, but it will help you with future potential impacts, so you'll see here, in the left hand menu of the Azure AD identity protection dashboard, we have a user risk policy, and a sign in risk policy.
User risk applies when an account is suspected of compromise, for example, password leakage, so I'll click on the user risk policy option, I have similar assignment options, just as we did with MFA, I can select all users, individuals, or groups, again prioritizing that phased approach to protect your user experience and to make sure you understand the impact of your changes. Under user risk, you'll see here that I can select my tolerance for risk, Microsoft would typically recommend medium and above, high is going to minimize your user prompts, but it's going to leave you vulnerable for that medium category.
And, under controls, you'll see here that we have require password change, and you might ask yourself, "Why can't I select require multifactor authentication?" In this case, a user risk policy is applied when an account is suspected of compromise, and frankly, best practices say we shouldn't be leaning on multifactor authentication, in that case, we should require the password reset under multifactor conditions. Thus the reason for the limitation.
And I can view the number of users impacted, so based on the groups that I select in my policy, it's going to show me here, a summary of how many users would be challenged, and how many would be blocked in my environment based on my settings. And as with the MFA policy, I can set enforce to on or off to apply or not apply that policy. So now let's have a look at the sign in risk policy, the sign in risk policy is a conditional access policy that evaluates the risk to a specific sign in and applies mitigations based on predefined conditions and rules.
Sign in risk looks at the context of the session and determines whether or not the session is risky based on our settings. Again I can select my groups, when I look at my condition here again, medium and high, Microsoft always recommending medium to maximize our protection, understanding that this is going to result in a few more prompts to our user audience. And my control here is to require multifactor authentication, again, the account is not considered compromised, we simply have an unusual sign in that brings with it some risk, so we require multifactor authentication simply to, ensure that we have a known user, actually using that account, and again, enforcing the policy on or off, just as we would with the user risk policy or the multifactor.
So where's the sweet spot, again, choosing a high threshold reduces the number of prompts, but it excludes the medium and low options, so medium is where Microsoft is going to recommend that we begin. And completing these steps ensures that multifactor authentication is required for a risky sign in and at this point we're ready to configure notification and test our policies.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure