As organizations increasingly depend on digital platforms, securing user identities becomes a top priority. With the rise of cyber threats, it's essential for businesses to implement proactive measures to protect sensitive information. Microsoft Entra Identity Protection offers robust solutions to detect vulnerabilities and enforce risk-based access policies effectively. In this article, we’ll guide you through configuring user risk and sign-in risk policies within Microsoft Entra ID Protection, leveraging best practices from the CIS Controls.

Understanding User Risk and Sign-In Risk Policies

User risk policies are designed to identify the likelihood that a user account has been compromised. By analyzing various signals, Entra ID Protection calculates a risk score reflecting the probability of compromise. This proactive approach enables organizations to address potential issues before they escalate.

Sign-in risk policies, on the other hand, monitor sign-in attempts for signs of suspicious activity. Each time a user attempts to log in, Entra ID Protection evaluates numerous signals in real-time to assess whether the request is authorized. This dual approach to risk assessment empowers organizations to respond swiftly to potential threats.

Microsoft’s Recommended Approach

Microsoft recommends implementing these risk policies through Conditional Access rather than using legacy methods. This approach offers several advantages:

• Enhanced diagnostic data for monitoring policy effectiveness

• Report-only mode to evaluate potential impacts without enforcing changes

• Graph API support for deeper integration and analysis

• The ability to utilize additional Conditional Access attributes, such as sign-in frequency, in your policy configuration

• Automation of responses to risks, allowing users to self-remediate when threats are detected

Prerequisites

• A working Microsoft Entra tenant with Microsoft Entra ID P2, or trial license enabled.

  
  

Plan for Conditional Access risk policies

In this step, it's crucial to plan your Conditional Access risk policies, as Microsoft Entra ID Protection sends risk signals that help enforce organizational security measures. These policies may require users to perform multifactor authentication or change their passwords securely. Before creating these policies, consider excluding emergency access accounts to prevent accidental lockouts, as well as service accounts and service principals that facilitate backend operations.

Additionally, ensure users are registered for multifactor authentication to enable self-remediation of risks. Configuring named locations, including your VPN ranges, enhances the accuracy of risk assessments by reducing false positives. Lastly, utilize report-only mode to evaluate the impact of your Conditional Access policies before full enforcement, allowing for a smoother implementation process.

Configure user risk policy in Conditional Access

To configure a User risk policy, use the following steps:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

2. Click expand Protection > Conditional Access select Policies.

3. Create a new policy by selecting New policy.

4. Set the following conditions within the policy:

   • Under Assignments choose All users

   • Under Cloud apps or actions > Include, select All resources (formerly 'All cloud apps')

   • Under Conditions choose User risk then Yes and select the user risk level High.

   • Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change.

   • Under Session ensure Sign-in frequency is set to Every time.

   • Click Select.

5. Under Enable policy set it to Report Only until the organization is ready to enable it.

6. Click Create.

Once the policy is activated, user access will either be blocked, or they will be prompted to complete Multi-Factor Authentication (MFA) and change their password. If users have not registered for MFA, they will be denied access to their accounts, which will require administrative intervention for recovery.

Configure sign-in risk policy in Conditional Access

To configure a Sign-In risk policy, use the following steps:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

2. Click expand Protection > Conditional Access select Policies.

3. Create a new policy by selecting New policy.

4. Set the following conditions within the policy.

   • Under Assignments choose All users.

   • Under Cloud apps or actions > Include, select All resources (formerly 'All cloud apps').

   • Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium.

   • Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication.

   • Under Session select Sign-in Frequency and set to Every time.

   • Click Select.

5. Under Enable policy set it to Report Only until the organization is ready to enable it.

6. Click Create.

When the sign-in risk policy is activated, users will be required to complete Multi-Factor Authentication (MFA) to gain access to their accounts. If a user has not registered for MFA, they will be blocked from accessing their account altogether.

Configuring Microsoft Entra ID Protection risk-based access policies is crucial for strengthening your organization's identity security. By enabling both user risk and sign-in risk policies, you not only safeguard sensitive information but also enhance your overall security framework.

Stay proactive in protecting your organization’s digital assets—because a secure identity is a secure organization! If you're looking to bolster your Microsoft 365 security and compliance posture, connect with us. Schedule a call with our experts using the button below to discover how we can tailor solutions to protect your business from evolving threats while optimizing your technology strategy.