Risk policies - Microsoft Entra ID Protection (2024)

Table of Contents
In this article Choosing acceptable risk levels Microsoft's recommendation Risk remediation Enable policies Policy exclusions User risk policy in Conditional Access Sign-in risk policy in Conditional Access Migrate risk policies to Conditional Access Migrate to Conditional Access Related content
  • Article

There are two types of risk policies in Microsoft Entra Conditional Access you can set up. You can use these policies to automate the response to risks allowing users to self-remediate when risk is detected:

  • Sign-in risk policy
  • User risk policy

Risk policies - Microsoft Entra ID Protection (1)

Choosing acceptable risk levels

Organizations must decide the level of risk they want to require access control on balancing user experience and security posture.

Choosing to apply access control on a High risk level reduces the number of times a policy is triggered and minimizes friction for users. However, it excludes Low and Medium risks from the policy, which might not block an attacker from exploiting a compromised identity. Selecting a Low risk level to require access control introduces more user interrupts.

See Also
What is Microsoft Entra ID? - Microsoft EntraMicrosoft Entra Permissions Management | Microsoft SecurityWhat are risks in Microsoft Entra ID Protection - Microsoft Entra ID ProtectionMicrosoft Entra Verified ID | Microsoft Security

Configured trusted network locations are used by Identity Protection in some risk detections to reduce false positives.

The policy configurations that follow include the sign-in frequency session control requiring a reauthentication for risky users and sign-ins.

Microsoft's recommendation

Microsoft recommends the following risk policy configurations to protect your organization:

  • User risk policy
    • Require a secure password change when user risk level is High. Microsoft Entra multifactor authentication is required before the user can create a new password with password writeback to remediate their risk.
  • Sign-in risk policy
    • Require Microsoft Entra multifactor authentication when sign-in risk level is Medium or High, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.

Requiring access control when risk level is low introduces more friction and user interrupts than medium or high. Choosing to block access rather than allowing self-remediation options, like secure password change and multifactor authentication, affect your users and administrators even more. Weigh these choices when configuring your policies.

Risk remediation

Organizations can choose to block access when risk is detected. Blocking sometimes stops legitimate users from doing what they need to. A better solution is to configure user and sign-in risk-based Conditional Access policies that allow users to self-remediate.

Warning

Users must register for Microsoft Entra multifactor authentication before they face a situation requiring remediation. For hybrid users that are synced from on-premises, password writeback must be enabled. Users not registered are blocked and require administrator intervention.

Password change (I know my password and want to change it to something new) outside of the risky user policy remediation flow does not meet the requirement for secure password change.

See Also
What is Microsoft Entra Permissions Management? | Kocho Blog

Enable policies

Organizations can choose to deploy risk-based policies in Conditional Access using the following steps or use Conditional Access templates.

Before organizations enable these policies, they should take action to investigate and remediate any active risks.

Policy exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

  • Emergency access or break-glass accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
    • More information can be found in the article, Manage emergency access accounts in Microsoft Entra ID.
  • Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
    • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.

User risk policy in Conditional Access

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  6. Under Cloud apps or actions > Include, select All cloud apps.
  7. Under Conditions > User risk, set Configure to Yes.
    1. Under Configure user risk levels needed for policy to be enforced, select High. This guidance is based on Microsoft recommendations and might be different for each organization
    2. Select Done.
  8. Under Access controls > Grant.
    1. Select Grant access, Require multifactor authentication, and Require password change.
    2. Select Select.
  9. Under Session.
    1. Select Sign-in frequency.
    2. Ensure Every time is selected.
    3. Select Select.
  10. Confirm your settings and set Enable policy to Report-only.
  11. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Sign-in risk policy in Conditional Access

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  6. Under Cloud apps or actions > Include, select All cloud apps.
  7. Under Conditions > Sign-in risk, set Configure to Yes.
    1. Under Select the sign-in risk level this policy will apply to, select High and Medium. This guidance is based on Microsoft recommendations and might be different for each organization
    2. Select Done.
  8. Under Access controls > Grant.
    1. Select Grant access, Require multifactor authentication.
    2. Select Select.
  9. Under Session.
    1. Select Sign-in frequency.
    2. Ensure Every time is selected.
    3. Select Select.
  10. Confirm your settings and set Enable policy to Report-only.
  11. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Migrate risk policies to Conditional Access

If you have legacy risk policies enabled in Microsoft Entra ID Protection, you should plan to migrate them to Conditional Access:

Warning

The legacy risk policies configured in Microsoft Entra ID Protection will be retired on October 1, 2026.

Migrate to Conditional Access

  1. Create equivalent user risk-based and sign-in risk-based policies in Conditional Access in report-only mode. You can create a policy with the previous steps or using Conditional Access templates based on Microsoft's recommendations and your organizational requirements.
    1. After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
  2. Disable the old risk policies in ID Protection.
    1. Browse to Protection > Identity Protection > Select the User risk or Sign-in risk policy.
    2. Set Enforce policy to Disabled.
  3. Create other risk policies if needed in Conditional Access.

Related content

  • Enable Microsoft Entra multifactor authentication registration policy
  • What is risk
  • Investigate risk detections
  • Simulate risk detections
Risk policies - Microsoft Entra ID Protection (2024)
Top Articles
Why you should open a long-term CD for your children now
Data Sharing Strategy - IGW
Skylar Vox Bra Size
Dannys U Pull - Self-Service Automotive Recycling
123 Movies Black Adam
O'reilly's Auto Parts Closest To My Location
Ret Paladin Phase 2 Bis Wotlk
Beacon Schnider
Eric Rohan Justin Obituary
Poplar | Genus, Description, Major Species, & Facts
Nieuwe en jong gebruikte campers
The Wicked Lady | Rotten Tomatoes
13 The Musical Common Sense Media
What is the difference between a T-bill and a T note?
Mens Standard 7 Inch Printed Chappy Swim Trunks, Sardines Peachy
Calmspirits Clapper
Luna Lola: The Moon Wolf book by Park Kara
Tracking Your Shipments with Maher Terminal
Magic Mike's Last Dance Showtimes Near Marcus Cedar Creek Cinema
The Superhuman Guide to Twitter Advanced Search: 23 Hidden Ways to Use Advanced Search for Marketing and Sales
Xxn Abbreviation List 2023
Locate At&T Store Near Me
Lawson Uhs
Site : Storagealamogordo.com Easy Call
north jersey garage & moving sales - craigslist
Riherds Ky Scoreboard
Seeking Arrangements Boston
At&T Outage Today 2022 Map
Craigslist Apartments In Philly
Helpers Needed At Once Bug Fables
Roanoke Skipthegames Com
Marilyn Seipt Obituary
Miles City Montana Craigslist
Core Relief Texas
Motor Mounts
Ghid depunere declarație unică
Garrison Blacksmith's Bench
New York Rangers Hfboards
The 50 Best Albums of 2023
Why Gas Prices Are So High (Published 2022)
Shih Tzu dogs for sale in Ireland
Www Craigslist Com Brooklyn
11301 Lakeline Blvd Parkline Plaza Ctr Ste 150
Nsav Investorshub
The best bagels in NYC, according to a New Yorker
Below Five Store Near Me
Craigslist Food And Beverage Jobs Chicago
How to Connect Jabra Earbuds to an iPhone | Decortweaks
Cult Collectibles - True Crime, Cults, and Murderabilia
Epower Raley's
Craigslist Yard Sales In Murrells Inlet
The Love Life Of Kelsey Asbille: A Comprehensive Guide To Her Relationships
Latest Posts
Types of qualifications - Postgrad @ Mandela
OKX vs. Coinbase Review 2024: Which Crypto Exchange is Best?
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 6159

Rating: 4.6 / 5 (46 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.