Configuring and Enabling Risk policies

  1. Home
  2. Configuring and Enabling Risk policies

Go back to AZ-500 Tutorials

In this tutorial, we will learn about configuring and enabling risk policies like Sign-in risk policy and User risk policy. Both policies work to automate the response to risk detections in your environment and allow users to self-remediate when risk is detected.

Prerequisites

If your organization wants to give access to users for self-remediation when risks are detected, users must be registered for both self-service password reset and Azure Multi-Factor Authentication. However, we recommend enabling the combined security information registration experience for the best experience. As allowing users for self-remediation gets them back to a productive state without needing administrator intervention. But, the Administrators can still see these events and even investigate them after the fact.

Choosing acceptable risk levels

Organizations should decide the risk level, as they are willing to accept balancing user experience and security posture. However, Microsoft’s recommendation is to set the user risk policy threshold to High and the sign-in risk policy to Medium and above.

Choosing a High threshold decreases the number of times a policy triggers and minimizes the impact to users. However, it removes low and medium risk detections from the policy that may not block an attacker from exploiting a compromised identity. And, selecting a Low threshold will introduce additional user interrupts. But it will increase the security posture.

Exclusions

Excluding users such as emergency access or break-glass administrator accounts is possible with any of the policies. Furthermore, companies should determine if additional accounts should be excluded from certain restrictions based on how they are utilised. All exclusions must be reviewed on a regular basis to ensure that they are still valid. However, to reduce false positives, Identity Protection leverages preset trustworthy network locations in some risk detections.

AZ_500 online course

Enable policies

For enabling the user risk and sign-in risk policies complete the following steps.

  • Firstly, navigate to the Azure portal.
  • Secondly, browse to Azure Active Directory > Security > Identity Protection > Overview.
  • Then, Select User risk policy.
  1. Under Assignments

Users – In this, choose All users or Select individuals and groups if limiting your rollout.

  1. Here you have the option to choose to exclude users from the policy.

Conditions – In this, user risk Microsoft’s recommendation is to set this option to High.

       b. Under Controls

Access – In this, Microsoft’s recommendation is to Allow access and Require password change.

       c. Enforce Policy – On

       d. Save – This action will return you to the Overview page.

  • After that, Select Sign-in risk policy.
  1. Under Assignments

Users – In this, select All users or individuals and groups if have limiting rollout.

  1. Here you have the option to choose to exclude users from the policy.

Conditions – In this, sign-in risk Microsoft’s recommendation for setting this option to Medium and above.

  1. Under Controls

Access – This has Microsoft’s recommendation for Allowing access and Require multi-factor authentication.

  1. Enforce Policy – On
  2. Save
risk policies concept in Az-500 Online course

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu