-
Notifications
You must be signed in to change notification settings - Fork 0
Entra ID Protection
Chad Cox edited this page Mar 21, 2024
·
61 revisions
- This does require Azure AD Premium 2
- Navigate to the Identity Protection Pane
Clear all old user risk prior to enabling any user risk based policy:
- Scripts I wrote to help with this
- Old user risk could lead to unexpected behavior when users signs-in. Ideally all low and medium risk will be cleaned up via script and all high should be reviewed and manually remediated.
Make sure all trusted networks have been identified and created in a trusted name location
- Use the workbook: Workbook: Impact analysis of risk-based access policies to identify non trusted networks that are used by multiple users. Work with network team to make sure they should be trusted.
- If using Zscaler or some other proxy solution with shared IP egresses, refer to Entra ID Protection stop false positive risk caused by Zscaler.
When using federated authentication it is possible to leverage multifactor authentication (supported by Okta, Ping, ADFS and others) to remediate sign-in risk.
- Set federatedIdpMfaBehavior to enforceMfaByFederatedIdp
- #AzureAD Identity Protection adds support for federated identities! - Microsoft Community Hub
To self remediate sign-in risk
- For cloud authentication user must be registered for Azure MFA
- Review Workbook - Impact analysis of risk-based access policies / Risky sign-ins remediated by multifactor authentication - shows users that remediated a sign-in risk by providing MFA.
To self remediate user risk
- Self service password reset and password write back need to be enabled for either cloud authentication and federated authentication.
- Review Workbook - Impact analysis of risk-based access policies / User risk remediated by password reset - shows if any users have changed password that reset a user risk
- MFA does not remediate user risk and could make it so that users are prompted over and over. Consider using a block over requiring MFA.
- User risk policy - should be turned off
- Sign-in risk policy - should be turned off
Migrate risk policies to Conditional Access
- Assignments
- Include: All Users
- Exclude: Breakglass, Exclusion Group
- Controls
- Require Azure AD MFA registration
- Enforce policy: On
- Add users that need to be notified
- Alert on user risk level at or above: Recommended High
- Add users that need to be notified
- Send weekly digest emails: Yes
This is something you should use if you have password hash sync enable, included for federated authentication.
- Allow on-premises password change to reset user risk, select enable
- Remediate User Risks in Microsoft Entra ID Protection Through On-premises Password Changes
- If enabled Review Workbook - Impact analysis of risk-based access policies / User risk remediated by on-premise password change - shows the number of users that have leveraged this feature to remediate a user risk.
This is my current set of recommended risk based conditional access policies. I have written several KQL queries to run in either the log analytics attached to Entra ID or Defender XDR. These queries will help make decisions on certain policies.
- Use when self service password reset and password write back is not enabled on Entra ID tenant.
- Use when wanting to provide most protection to the tenant.
- Requires for someone to research and respond to high users risk as they come in. (Usually Security Operations)
- Allow on-premises password change to reset user risk will help with user risk clean up.
- Recommended by CISA
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All Users Exclude: BreakGlass |
Include: All Cloud Apps | User Risk: high | Block | Sign-in frequency: Every time |
Review Workbook - Impact analysis of risk-based access policies
- Impact summary of recommended risk-based access policies / High risk users not being blocked - Shows the number of users not being blocked by a RBCA.
- Impact details: User risk scenarios / High risk users not being blocked by risk-based access policy - shows list of users that would have been impacted if a RBCA was in place
- Use when self service password reset and password write back is enabled on Entra ID tenant. Including in federation environments
- Should only be allowed from trusted or compliant devices.
- User must be registered and enabled for sspr or they are blocked.
- Recommended by CIS
- Common Conditional Access policy: User risk-based password change
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All Users Exclude: BreakGlass |
Include: All Cloud Apps | User Risk: high | Require password change | Sign-in frequency: Every time |
Review Workbook - Impact analysis of risk-based access policies
- Impact summary of recommended risk-based access policies / High risk users not prompted for password change - Shows the number of users not being prompted to change password with a RBCA.
- Impact details: User risk scenarios / High risk users not being prompted to change password by risk-based access policy - shows list of users that would have been impacted if a RBCA was in place
- Should be used when leveraging the require password change policy. This policy will make sure users not on trusted or compliant devices will be blocked from changing their password.
- Requires for someone to research and respond to high users risk as they come in. (Usually Security Operations)
- Allow on-premises password change to reset user risk will help with user risk clean up.
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All Users Exclude: BreakGlass |
Include: All Cloud Apps | User Risk: high Device Filter: Include All Devices, Exclude isCompliant = True or TrustType = Microsoft Entra hybrid Joined |
Block | Sign-in frequency: Every time |
- Should be used when users are not registered for MFA while using cloud authentication.
- Use when wanting to provide most protection to the tenant.
- Recommended by CISA
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All Users Exclude: BreakGlass |
Include: All Cloud Apps | Sign-in Risk: high | Block | Sign-in frequency: Every time |
Review Workbook - Impact analysis of risk-based access policies
- Impact summary of recommended risk-based access policies / High risk sign-ins not being blocked - Shows the number of users not being blocked by a RBCA.
- Impact details: Sign-in risk policy scenarios / High risk sign-ins not being blocked by risk-based access policy - shows list of users that would have been impacted if RBCA was in place
- Should be used when users are registered for MFA while using cloud authentication.
- Is supported when using a federated IDP like Ping, Okta, ADFS, or Duo when enforceMfaByFederatedIdp is set
- Recommended by CIS
- Common Conditional Access policy: Sign-in risk-based multifactor authentication
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All Users Exclude: BreakGlass |
Include: All Cloud Apps | Sign-in Risk: high, Medium | Require Multifactor | Sign-in Frequency: Every time |
Review Workbook - Impact analysis of risk-based access policies
- Impact summary of recommended risk-based access policies / High risk sign-ins not remediated using multifactor authentication - Shows the number of users not being prompted to MFA by a RBCA.
- Impact details: Sign-in risk policy scenarios / High risk sign-ins not self-remediating using multifactor authentication by risk-based access policy - shows list of users that would have been impacted if RBCA was in place
- Use when wanting to provide most protection to the tenant.
- Should be set even with federated authentication to protect poorly managed in cloud accounts like shared mailboxes.
- Goal is to prevent a user from being able to register security information with any kind of sign-in risk.
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All Users Exclude: Guest, BreakGlass |
User actions: Register Security Information |
Sign-in Risk: low, medium, high |
Block | Sign-in frequency: Every time |
- Use when wanting to provide most protection to the tenant.
- If any chance there is a sign-in risk when a users is trying to manage a component of Microsoft 365 or Azure they should be blocked.
- Will need to work with a peer to clear the risk.
- Here is the list of applications affected by this policy
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All users Exclude: BreakGlass |
Include: Microsoft Admin Portals, Windows Azure Service Management API |
Sign-in Risk: low, medium, high |
Block | Sign-in frequency: Every time |
- Use when wanting to provide most protection to the tenant.
- Privileged Role Members = Directory Roles (Application Administrator,Authentication Administrator,Cloud Application Administrator,Conditional Access Administrator,Exchange Administrator,Global Administrator,Helpdesk Administrator,Hybrid Identity Administrator,Password Administrator,Privileged Authentication Administrator,Privileged Role Administrator,Security Administrator,SharePoint Administrator,User Administrator)
- Include the directory sync account - Directory Role (Directory Sync Account)
- Will need to work with a peer to clear the risk.
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: Role - privileged roles Exclude: BreakGlass |
Include: All Cloud Apps | Sign-in Risk: low, medium, high | Block | Sign-in frequency: Every time |
- Use when wanting to provide most protection to the tenant.
- Privileged Role Members = Directory Roles (Application Administrator,Authentication Administrator,Cloud Application Administrator,Conditional Access Administrator,Exchange Administrator,Global Administrator,Helpdesk Administrator,Hybrid Identity Administrator,Password Administrator,Privileged Authentication Administrator,Privileged Role Administrator,Security Administrator,SharePoint Administrator,User Administrator)
- Include the directory sync account - Directory Role (Directory Sync Account)
- Will need to work with a peer to clear the risk.
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: Role - privileged roles Exclude: BreakGlass |
Include: All Cloud Apps | User Risk: low, medium, high | Block | Sign-in frequency: Every time |
- Use when wanting to provide most protection to the tenant.
- Goal is to prevent a user from being able to register a device with any kind of sign-in risk.
| Users | Cloud Apps or Actions | Conditions | Grant | Session |
|---|---|---|---|---|
| Include: All Users Exclude: Guest, BreakGlass |
Include: Microsoft Intune Enrollment | Sign-in Risk: low, medium, high |
Block | Sign-in frequency: Every time |