Skip to content

Commit 02d01ca

Browse files
Edits
1 parent 7b1bc17 commit 02d01ca

File tree

2 files changed

+33
-102
lines changed

2 files changed

+33
-102
lines changed

articles/active-directory/identity-protection/concept-identity-protection-policies.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: identity-protection
88
ms.topic: conceptual
9-
ms.date: 09/19/2022
9+
ms.date: 10/03/2022
1010

1111
ms.author: joflore
1212
author: MicrosoftGuyJFlo
@@ -25,9 +25,9 @@ Azure AD Conditional Access offers two risk conditions: **Sign-in risk** and **U
2525

2626
For example, as shown in the diagram below, if you have a sign-in risk policy that requires multifactor authentication when the sign-in risk level is medium or high, then the user must pass that access control if their sign-in session is detected to be at high risk.
2727

28-
![Risk-based Conditional Access policy example diagram](./media/concept-identity-protection-policies/risk-based-conditional-access-policy-example.png)
28+
![Risk-based Conditional Access policy auto-remediation example diagram](./media/concept-identity-protection-policies/risk-based-conditional-access-policy-example.png)
2929

30-
The example above also demonstrates a main benefit of risk-based policy: **automatic risk remediation**. When a user successfully completes the required access control that verified their identity, their risk will be automatically remediated. That sign-in session and their user account will not be at risk, and no action is needed from the administrator.
30+
The example above also demonstrates a main benefit of risk-based policy: **automatic risk remediation**. When a user successfully completes the required access control that verified their identity, their risk will be automatically remediated. That sign-in session and their user account won't be at risk, and no action is needed from the administrator.
3131

3232
Automatic risk remediation will significantly reduce the risk investigation and remediation burden on the administrators while protecting your organizations from security compromises.
3333
More information about risk as a condition in a Conditional Access policy can be found in the article, [Conditional Access: Conditions](../conditional-access/concept-conditional-access-conditions.md#sign-in-risk)
@@ -47,7 +47,6 @@ If risks are detected on a sign-in, users can perform the required access contro
4747
> [!NOTE]
4848
> Users must have previously registered for Azure AD Multifactor Authentication before triggering the sign-in risk policy.
4949
50-
5150
## User risk-based Conditional Access policy
5251

5352
Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions for their risk. User risk level is a calculation of probability that an identity has been compromised. If a user has risky sign-ins or there are risks such as leaked credentials detected on their account, then the user account is at risk with a user risk level calculated by Identity Protection. Administrators can create a User risk-based Conditional Access policy to specify what access control to apply based when the user is at risk to enforce organizational requirements: block access, allow access, or allow access but require a secure password change using [Azure AD self-service password reset](../authentication/howto-sspr-deployment.md).
@@ -58,13 +57,15 @@ A secure password change will remediate the user risk and close the risky user e
5857
> Users must have previously registered for self-service password reset before triggering the user risk policy.
5958
6059
## Identity Protection policies
60+
6161
While Identity Protection also offers a user interface for creating user risk policy and sign-in risk policy, we highly recommend that you use Azure AD Conditional Access to create risk-based access policies for the following benefits:
62-
- Rich set of conditions to control access: Conditional Access offers a rich set of conditions such as applications and locations for configuration. The risk conditions can be used in combination with other conditions to create policies that best enforce your organizational requirements.
63-
- Multiple risk-based policies can be put in place to target different user groups or apply different access control for different risk levels.
64-
- Conditional Access policies can be created through Microsoft Graph API and can be tested first in report-only mode.
65-
- Manage all access policies in one place in Conditional Access.
66-
If you already have Identity Protection risk policies set up, we encourage you to migrate them to Conditional Access.
6762

63+
- Rich set of conditions to control access: Conditional Access offers a rich set of conditions such as applications and locations for configuration. The risk conditions can be used in combination with other conditions to create policies that best enforce your organizational requirements.
64+
- Multiple risk-based policies can be put in place to target different user groups or apply different access control for different risk levels.
65+
- Conditional Access policies can be created through Microsoft Graph API and can be tested first in report-only mode.
66+
- Manage all access policies in one place in Conditional Access.
67+
68+
If you already have Identity Protection risk policies set up, we encourage you to migrate them to Conditional Access.
6869

6970
## Azure AD MFA registration policy
7071

articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md

Lines changed: 23 additions & 93 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: identity-protection
88
ms.topic: how-to
9-
ms.date: 09/22/2022
9+
ms.date: 10/03/2022
1010

1111
ms.author: joflore
1212
author: MicrosoftGuyJFlo
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
1717
---
1818
# Configure and enable risk policies
1919

20-
As we learned in the previous article, [Identity Protection policies](concept-identity-protection-policies.md), there're two types of risk policies in Azure AD Conditional Access you can set up to automate the response to risks and allow users to self-remediate when risk is detected:
20+
As we learned in the previous article, [Identity Protection policies](concept-identity-protection-policies.md), there are two types of risk policies in Azure Active Directory (Azure AD) Conditional Access you can set up to automate the response to risks and allow users to self-remediate when risk is detected:
2121

2222
- Sign-in risk policy
2323
- User risk policy
@@ -45,7 +45,7 @@ Microsoft recommends the below risk policy configurations to protect your organi
4545
- Sign-in risk policy
4646
- Require Azure AD MF when sign-in risk level is **Medium** or **High**, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.
4747

48-
Requiring access control when risk level is low will introduce more user interupts. Choosing to block access rather than allowing self-remediation options, like secure password reset and multi-factor authentication, will impact your users and administrators. Weigh these choices when configuring your policies.
48+
Requiring access control when risk level is low will introduce more user interrupts. Choosing to block access rather than allowing self-remediation options, like secure password reset and multi-factor authentication, will impact your users and administrators. Weigh these choices when configuring your policies.
4949

5050
> [!WARNING]
5151
> Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.
@@ -64,7 +64,7 @@ Before organizations enable remediation policies, they may want to [investigate]
6464

6565
### User risk policy in Conditional Access
6666

67-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
67+
1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
6868
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
6969
1. Select **New policy**.
7070
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
@@ -83,12 +83,14 @@ Before organizations enable remediation policies, they may want to [investigate]
8383
1. Select **Sign-in frequency**.
8484
1. Ensure **Every time** is selected.
8585
1. Select **Select**.
86-
1. Confirm your settings, and set **Enable policy** to **On**.
86+
1. Confirm your settings and set **Enable policy** to **Report-only**.
8787
1. Select **Create** to create to enable your policy.
8888

89+
After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
90+
8991
### Sign-in risk policy in Conditional Access
9092

91-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
93+
1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
9294
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
9395
1. Select **New policy**.
9496
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
@@ -107,9 +109,11 @@ Before organizations enable remediation policies, they may want to [investigate]
107109
1. Select **Sign-in frequency**.
108110
1. Ensure **Every time** is selected.
109111
1. Select **Select**.
110-
1. Confirm your settings and set **Enable policy** to **On**.
112+
1. Confirm your settings and set **Enable policy** to **Report-only**.
111113
1. Select **Create** to create to enable your policy.
112114

115+
After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
116+
113117
## Migrate risk policies from Identity Protection to Conditional Access
114118

115119
While Identity Protection also provides two risk policies with limited conditions, we highly recommend setting up risk-based policies in Conditional Access for the following benefits:
@@ -120,93 +124,19 @@ While Identity Protection also provides two risk policies with limited condition
120124
- Use more Conditional Access attributes like sign-in frequency in the policy
121125

122126
If you already have risk policies enabled in Identity Protection, we highly recommend that you migrate them to Conditional Access:
123-
1. Create an equivalent risk policy in Conditional Access in report-only mode.
124-
2. Ensure that the new Conditional Access risk policy works as expected by testing it in report-only mode.
125-
3. Enable the new Conditional Access risk policy. You can choose to have it running for a period of time to ensure that it is working as expected before turning the Identity Protection risk policies off.
126-
4. Disable the old risk policies in Identity Protection.
127-
5. Create additional risk policies if needed in Conditional Access.
128-
129-
Specific steps for the migration are listed below.
130-
131-
### Migrate User risk policy to Conditional Access
132-
133-
Example
134-
135-
![Migrate user risk policy to Conditional Access](./media/howto-identity-protection-configure-risk-policies/user-risk-policy-migration-to-CA.png)
136-
137-
#### Step 1 Create an equivalent user risk policy in Report-only mode Conditional Access
138-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
139-
2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
140-
3. Select **New policy**.
141-
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
142-
5. Under **Assignments**, select **Users or workload identities**.
143-
1. Under **What does this policy apply to?**, select **Users and groups**
144-
2. Under **Include**, select users and groups that are included in your current user risk policy in Identity Protection
145-
3. Under **Exclude**, select select users and groups that are excluded from your current user risk policy
146-
4. Select **Done**.
147-
6. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
148-
7. Under **Conditions** > **User risk**, set **Configure** to **Yes**.
149-
1. Under **Configure user risk levels needed for policy to be enforced**, select the risk levels that match the configuration in your current user risk policy
150-
1. Select **Done**.
151-
8. Under **Access controls** > **Grant**.
152-
1. Select **Grant access**, select the access control that matches the configuration in your current user risk policy
153-
1. Select **Select**.
154-
9. Under **Session**.
155-
1. Select **Sign-in frequency**.
156-
1. Ensure **Every time** is selected.
157-
1. Select **Select**.
158-
10. Confirm your settings, and set **Enable policy** to **Report-only**.
159-
11. Select **Create** to create to enable your policy in Report-only mode.
160-
12. Test your new Conditional Access policy in Report-only mode to ensure that it is working as expected
161-
162-
#### Step 2 Enable the new Conditional Access user risk policy
163-
13. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.
164-
14. Select this new policy to edit it.
165-
15. Set **Enable policy** to **On** to turn the policy on
166-
167-
#### Step 3 Turn off your old user risk policy in Identity Protection
168-
16. Browse to **Azure Active Directory** > **Identity Protection** > **User risk policy**
169-
17. Set **Enforce policy** to **Off**
170-
171-
172-
### Migrate Sign-in risk policy to Conditional Access
173-
174-
Example
175-
176-
![Migrate sign-in risk policy to Conditional Access](./media/howto-identity-protection-configure-risk-policies/sign-in-risk-policy-migration-to-CA.png)
177-
178-
1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
179-
2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
180-
3. Select **New policy**.
181-
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
182-
5. Under **Assignments**, select **Users or workload identities**.
183-
1. Under **What does this policy apply to?**, select **Users and groups**
184-
2. Under **Include**, select users and groups that are included in your current sign-in risk policy in Identity Protection
185-
3. Under **Exclude**, select users and groups that are excluded from your current sign-in risk policy
186-
4. Select **Done**.
187-
6. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
188-
7. Under **Conditions** > **Sign-in risk**, set **Configure** to **Yes**.
189-
1. Under **Select the sign-in risk level this policy will apply to**. Select the risk levels that match the configuration in your current sign-in risk policy
190-
1. Select **Done**.
191-
8. Under **Access controls** > **Grant**.
192-
1. Select **Grant access**, select the access control that matches the configuration in your current sign-in risk policy
193-
1. Select **Select**.
194-
9. Under **Session**.
195-
1. Select **Sign-in frequency**.
196-
1. Ensure **Every time** is selected.
197-
1. Select **Select**.
198-
10. Confirm your settings and set **Enable policy** to **Report-only**.
199-
11. Select **Create** to create to enable your policy.
200-
201-
#### Step 2 Enable the new Conditional Access sign-in risk policy
202-
13. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.
203-
14. Select this new policy to edit it.
204-
15. Set **Enable policy** to **On** to turn the policy on
205-
206-
#### Step 3 Turn off your old sign-in risk policy in Identity Protection
207-
16. Browse to **Azure Active Directory** > **Identity Protection** > **Sign-in risk policy**
208-
17. Set **Enforce policy** to **Off**
209127

128+
![Screenshots showing the migration of a user risk policy to Conditional Access](./media/howto-identity-protection-configure-risk-policies/user-risk-policy-migration-to-CA.png)
129+
130+
1. Create an equivalent risk policy in [Conditional Access in report-only mode](#enable-policies).
131+
1. Ensure that the new Conditional Access risk policy works as expected by testing it in [report-only mode](howto-conditional-access-insights-reporting.md).
132+
1. Enable the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.
133+
1. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.
134+
1. Select this new policy to edit it.
135+
1. Set **Enable policy** to **On** to enable the policy
136+
1. Disable the old risk policies in Identity Protection.
137+
1. Browse to **Azure Active Directory** > **Identity Protection** > Select the **User risk** or **Sign-in risk** policy.
138+
1. Set **Enforce policy** to **Off**
139+
1. Create other risk policies if needed in Conditional Access.
210140

211141
## Next steps
212142

0 commit comments

Comments
 (0)