You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/identity-protection/concept-identity-protection-policies.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: identity-protection
8
8
ms.topic: conceptual
9
-
ms.date: 09/19/2022
9
+
ms.date: 10/03/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -25,9 +25,9 @@ Azure AD Conditional Access offers two risk conditions: **Sign-in risk** and **U
25
25
26
26
For example, as shown in the diagram below, if you have a sign-in risk policy that requires multifactor authentication when the sign-in risk level is medium or high, then the user must pass that access control if their sign-in session is detected to be at high risk.
27
27
28
-

28
+

29
29
30
-
The example above also demonstrates a main benefit of risk-based policy: **automatic risk remediation**. When a user successfully completes the required access control that verified their identity, their risk will be automatically remediated. That sign-in session and their user account will not be at risk, and no action is needed from the administrator.
30
+
The example above also demonstrates a main benefit of risk-based policy: **automatic risk remediation**. When a user successfully completes the required access control that verified their identity, their risk will be automatically remediated. That sign-in session and their user account won't be at risk, and no action is needed from the administrator.
31
31
32
32
Automatic risk remediation will significantly reduce the risk investigation and remediation burden on the administrators while protecting your organizations from security compromises.
33
33
More information about risk as a condition in a Conditional Access policy can be found in the article, [Conditional Access: Conditions](../conditional-access/concept-conditional-access-conditions.md#sign-in-risk)
@@ -47,7 +47,6 @@ If risks are detected on a sign-in, users can perform the required access contro
47
47
> [!NOTE]
48
48
> Users must have previously registered for Azure AD Multifactor Authentication before triggering the sign-in risk policy.
49
49
50
-
51
50
## User risk-based Conditional Access policy
52
51
53
52
Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions for their risk. User risk level is a calculation of probability that an identity has been compromised. If a user has risky sign-ins or there are risks such as leaked credentials detected on their account, then the user account is at risk with a user risk level calculated by Identity Protection. Administrators can create a User risk-based Conditional Access policy to specify what access control to apply based when the user is at risk to enforce organizational requirements: block access, allow access, or allow access but require a secure password change using [Azure AD self-service password reset](../authentication/howto-sspr-deployment.md).
@@ -58,13 +57,15 @@ A secure password change will remediate the user risk and close the risky user e
58
57
> Users must have previously registered for self-service password reset before triggering the user risk policy.
59
58
60
59
## Identity Protection policies
60
+
61
61
While Identity Protection also offers a user interface for creating user risk policy and sign-in risk policy, we highly recommend that you use Azure AD Conditional Access to create risk-based access policies for the following benefits:
62
-
- Rich set of conditions to control access: Conditional Access offers a rich set of conditions such as applications and locations for configuration. The risk conditions can be used in combination with other conditions to create policies that best enforce your organizational requirements.
63
-
- Multiple risk-based policies can be put in place to target different user groups or apply different access control for different risk levels.
64
-
- Conditional Access policies can be created through Microsoft Graph API and can be tested first in report-only mode.
65
-
- Manage all access policies in one place in Conditional Access.
66
-
If you already have Identity Protection risk policies set up, we encourage you to migrate them to Conditional Access.
67
62
63
+
- Rich set of conditions to control access: Conditional Access offers a rich set of conditions such as applications and locations for configuration. The risk conditions can be used in combination with other conditions to create policies that best enforce your organizational requirements.
64
+
- Multiple risk-based policies can be put in place to target different user groups or apply different access control for different risk levels.
65
+
- Conditional Access policies can be created through Microsoft Graph API and can be tested first in report-only mode.
66
+
- Manage all access policies in one place in Conditional Access.
67
+
68
+
If you already have Identity Protection risk policies set up, we encourage you to migrate them to Conditional Access.
As we learned in the previous article, [Identity Protection policies](concept-identity-protection-policies.md), there're two types of risk policies in Azure AD Conditional Access you can set up to automate the response to risks and allow users to self-remediate when risk is detected:
20
+
As we learned in the previous article, [Identity Protection policies](concept-identity-protection-policies.md), there are two types of risk policies in Azure Active Directory (Azure AD) Conditional Access you can set up to automate the response to risks and allow users to self-remediate when risk is detected:
21
21
22
22
- Sign-in risk policy
23
23
- User risk policy
@@ -45,7 +45,7 @@ Microsoft recommends the below risk policy configurations to protect your organi
45
45
- Sign-in risk policy
46
46
- Require Azure AD MF when sign-in risk level is **Medium** or **High**, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.
47
47
48
-
Requiring access control when risk level is low will introduce more user interupts. Choosing to block access rather than allowing self-remediation options, like secure password reset and multi-factor authentication, will impact your users and administrators. Weigh these choices when configuring your policies.
48
+
Requiring access control when risk level is low will introduce more user interrupts. Choosing to block access rather than allowing self-remediation options, like secure password reset and multi-factor authentication, will impact your users and administrators. Weigh these choices when configuring your policies.
49
49
50
50
> [!WARNING]
51
51
> Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.
@@ -64,7 +64,7 @@ Before organizations enable remediation policies, they may want to [investigate]
64
64
65
65
### User risk policy in Conditional Access
66
66
67
-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
67
+
1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
68
68
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
69
69
1. Select **New policy**.
70
70
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
@@ -83,12 +83,14 @@ Before organizations enable remediation policies, they may want to [investigate]
83
83
1. Select **Sign-in frequency**.
84
84
1. Ensure **Every time** is selected.
85
85
1. Select **Select**.
86
-
1. Confirm your settings, and set **Enable policy** to **On**.
86
+
1. Confirm your settings and set **Enable policy** to **Report-only**.
87
87
1. Select **Create** to create to enable your policy.
88
88
89
+
After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
90
+
89
91
### Sign-in risk policy in Conditional Access
90
92
91
-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
93
+
1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
92
94
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
93
95
1. Select **New policy**.
94
96
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
@@ -107,9 +109,11 @@ Before organizations enable remediation policies, they may want to [investigate]
107
109
1. Select **Sign-in frequency**.
108
110
1. Ensure **Every time** is selected.
109
111
1. Select **Select**.
110
-
1. Confirm your settings and set **Enable policy** to **On**.
112
+
1. Confirm your settings and set **Enable policy** to **Report-only**.
111
113
1. Select **Create** to create to enable your policy.
112
114
115
+
After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
116
+
113
117
## Migrate risk policies from Identity Protection to Conditional Access
114
118
115
119
While Identity Protection also provides two risk policies with limited conditions, we highly recommend setting up risk-based policies in Conditional Access for the following benefits:
@@ -120,93 +124,19 @@ While Identity Protection also provides two risk policies with limited condition
120
124
- Use more Conditional Access attributes like sign-in frequency in the policy
121
125
122
126
If you already have risk policies enabled in Identity Protection, we highly recommend that you migrate them to Conditional Access:
123
-
1. Create an equivalent risk policy in Conditional Access in report-only mode.
124
-
2. Ensure that the new Conditional Access risk policy works as expected by testing it in report-only mode.
125
-
3. Enable the new Conditional Access risk policy. You can choose to have it running for a period of time to ensure that it is working as expected before turning the Identity Protection risk policies off.
126
-
4. Disable the old risk policies in Identity Protection.
127
-
5. Create additional risk policies if needed in Conditional Access.
128
-
129
-
Specific steps for the migration are listed below.
130
-
131
-
### Migrate User risk policy to Conditional Access
132
-
133
-
Example
134
-
135
-

136
-
137
-
#### Step 1 Create an equivalent user risk policy in Report-only mode Conditional Access
138
-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
139
-
2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
140
-
3. Select **New policy**.
141
-
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
142
-
5. Under **Assignments**, select **Users or workload identities**.
143
-
1. Under **What does this policy apply to?**, select **Users and groups**
144
-
2. Under **Include**, select users and groups that are included in your current user risk policy in Identity Protection
145
-
3. Under **Exclude**, select select users and groups that are excluded from your current user risk policy
146
-
4. Select **Done**.
147
-
6. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
148
-
7. Under **Conditions** > **User risk**, set **Configure** to **Yes**.
149
-
1. Under **Configure user risk levels needed for policy to be enforced**, select the risk levels that match the configuration in your current user risk policy
150
-
1. Select **Done**.
151
-
8. Under **Access controls** > **Grant**.
152
-
1. Select **Grant access**, select the access control that matches the configuration in your current user risk policy
153
-
1. Select **Select**.
154
-
9. Under **Session**.
155
-
1. Select **Sign-in frequency**.
156
-
1. Ensure **Every time** is selected.
157
-
1. Select **Select**.
158
-
10. Confirm your settings, and set **Enable policy** to **Report-only**.
159
-
11. Select **Create** to create to enable your policy in Report-only mode.
160
-
12. Test your new Conditional Access policy in Report-only mode to ensure that it is working as expected
161
-
162
-
#### Step 2 Enable the new Conditional Access user risk policy
163
-
13. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.
164
-
14. Select this new policy to edit it.
165
-
15. Set **Enable policy** to **On** to turn the policy on
166
-
167
-
#### Step 3 Turn off your old user risk policy in Identity Protection
168
-
16. Browse to **Azure Active Directory** > **Identity Protection** > **User risk policy**
169
-
17. Set **Enforce policy** to **Off**
170
-
171
-
172
-
### Migrate Sign-in risk policy to Conditional Access
173
-
174
-
Example
175
-
176
-

177
-
178
-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
179
-
2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
180
-
3. Select **New policy**.
181
-
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
182
-
5. Under **Assignments**, select **Users or workload identities**.
183
-
1. Under **What does this policy apply to?**, select **Users and groups**
184
-
2. Under **Include**, select users and groups that are included in your current sign-in risk policy in Identity Protection
185
-
3. Under **Exclude**, select users and groups that are excluded from your current sign-in risk policy
186
-
4. Select **Done**.
187
-
6. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
188
-
7. Under **Conditions** > **Sign-in risk**, set **Configure** to **Yes**.
189
-
1. Under **Select the sign-in risk level this policy will apply to**. Select the risk levels that match the configuration in your current sign-in risk policy
190
-
1. Select **Done**.
191
-
8. Under **Access controls** > **Grant**.
192
-
1. Select **Grant access**, select the access control that matches the configuration in your current sign-in risk policy
193
-
1. Select **Select**.
194
-
9. Under **Session**.
195
-
1. Select **Sign-in frequency**.
196
-
1. Ensure **Every time** is selected.
197
-
1. Select **Select**.
198
-
10. Confirm your settings and set **Enable policy** to **Report-only**.
199
-
11. Select **Create** to create to enable your policy.
200
-
201
-
#### Step 2 Enable the new Conditional Access sign-in risk policy
202
-
13. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.
203
-
14. Select this new policy to edit it.
204
-
15. Set **Enable policy** to **On** to turn the policy on
205
-
206
-
#### Step 3 Turn off your old sign-in risk policy in Identity Protection
207
-
16. Browse to **Azure Active Directory** > **Identity Protection** > **Sign-in risk policy**
208
-
17. Set **Enforce policy** to **Off**
209
127
128
+

129
+
130
+
1. Create an equivalent risk policy in [Conditional Access in report-only mode](#enable-policies).
131
+
1. Ensure that the new Conditional Access risk policy works as expected by testing it in [report-only mode](howto-conditional-access-insights-reporting.md).
132
+
1. Enable the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.
133
+
1. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.
134
+
1. Select this new policy to edit it.
135
+
1. Set **Enable policy** to **On** to enable the policy
136
+
1. Disable the old risk policies in Identity Protection.
137
+
1. Browse to **Azure Active Directory** > **Identity Protection** > Select the **User risk** or **Sign-in risk** policy.
138
+
1. Set **Enforce policy** to **Off**
139
+
1. Create other risk policies if needed in Conditional Access.
0 commit comments