You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/tutorial-risk-based-sspr-mfa.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: authentication
8
8
ms.topic: tutorial
9
-
ms.date: 05/08/2020
9
+
ms.date: 05/11/2020
10
10
11
11
ms.author: iainfou
12
12
author: iainfoulds
@@ -41,7 +41,7 @@ To complete this tutorial, you need the following resources and privileges:
41
41
42
42
## Overview of Azure AD Identity Protection
43
43
44
-
Each day, Microsoft collects and analyses trillions of anonymized signals as part of user sign-in attempts. These signals help build patterns of good user sign-in behavior, and identify potential risky sign-in attempts. Azure AD Identity Protection can review user sign-in attempts and take additional action if there's suspicious behavior.
44
+
Each day, Microsoft collects and analyses trillions of anonymized signals as part of user sign-in attempts. These signals help build patterns of good user sign-in behavior, and identify potential risky sign-in attempts. Azure AD Identity Protection can review user sign-in attempts and take additional action if there's suspicious behavior:
45
45
46
46
Some of the following actions may trigger Azure AD Identity Protection risk detection:
47
47
@@ -52,7 +52,7 @@ Some of the following actions may trigger Azure AD Identity Protection risk dete
52
52
* Sign-ins from IP addresses with suspicious activity.
53
53
* Sign-ins from unfamiliar locations.
54
54
55
-
The following three policies are available in Azure AD Identity Protection to protect users and respond to suspicious activity. You can choose to turn the policy enforcement on or off, select users or groups for the policy to apply to, and if you want to block access at sign-in or prompt for additional action.
55
+
The following three policies are available in Azure AD Identity Protection to protect users and respond to suspicious activity. You can choose to turn the policy enforcement on or off, select users or groups for the policy to apply to, and decide if you want to block access at sign-in or prompt for additional action.
56
56
57
57
* User risk policy
58
58
* Identifies and responds to user accounts that may have compromised credentials. Can prompt the user to create a new password.
@@ -61,9 +61,9 @@ The following three policies are available in Azure AD Identity Protection to pr
61
61
* MFA registration policy
62
62
* Makes sure users are registered for Azure Multi-Factor Authentication. If a sign-in risk policy prompts for MFA, the user must already be registered for Azure Multi-Factor Authentication.
63
63
64
-
When you enable a policy user or sign in risk policy, you can also choose the threshold for risk level - low and above, medium and above, or high. This flexibility lets you decide how aggressive you want to be in enforcing any controls for suspicious sign-in events.
64
+
When you enable a policy user or sign in risk policy, you can also choose the threshold for risk level - *low and above*, *medium and above*, or *high*. This flexibility lets you decide how aggressive you want to be in enforcing any controls for suspicious sign-in events.
65
65
66
-
For more information about Azure AD Identity Protection, see [What is Azure AD Identity Protection](../identity-protection/overview-identity-protection.md)
66
+
For more information about Azure AD Identity Protection, see [What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)
67
67
68
68
## Enable MFA registration policy
69
69
@@ -82,13 +82,13 @@ It's recommended to enable the MFA registration policy for users that are to be
82
82
83
83
## Enable user risk policy for password change
84
84
85
-
Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find username and password pairs. When one of these pairs matches an account in your environment, a risk-based password change can be requested. This policy and action makes the user update their password before they can sign in to make sure any previously exposed credentials no longer work.
85
+
Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find username and password pairs. When one of these pairs matches an account in your environment, a risk-based password change can be requested. This policy and action requires the user update their password before they can sign in to make sure any previously exposed credentials no longer work.
86
86
87
87
To enable this policy, complete the following steps:
88
88
89
89
1. Select the **User risk policy** from the menu on the left-hand side.
90
90
1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
91
-
1. Under *Conditions*, choose **Select conditions > Select a risk level**, then choose **Medium and above**.
91
+
1. Under *Conditions*, choose **Select conditions > Select a risk level**, then choose *Medium and above*.
92
92
1. Choose **Select**, then **Done**.
93
93
1. Under *Access*, select **Access**. Make sure the option for **Allow access** and *Require password change* is checked, then choose **Select**.
94
94
1. Set **Enforce Policy** to *On*, then select **Save**.
@@ -103,7 +103,7 @@ To enable this policy, complete the following steps:
103
103
104
104
1. Select the **Sign-in risk policy** from the menu on the left-hand side.
105
105
1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
106
-
1. Under *Conditions*, choose **Select conditions > Select a risk level**, then choose **Medium and above**.
106
+
1. Under *Conditions*, choose **Select conditions > Select a risk level**, then choose *Medium and above*.
107
107
1. Choose **Select**, then **Done**.
108
108
1. Under *Access*, choose **Select a control**. Make sure the option for **Allow access** and *Require multi-factor authentication* is checked, then choose **Select**.
109
109
1. Set **Enforce Policy** to *On*, then select **Save**.
@@ -118,7 +118,7 @@ To test the Azure AD Identity Protection policies created in the previous steps,
118
118
119
119
## Clean up resources
120
120
121
-
If you have completed tests and no longer want to have the risk-based policies enabled, return to each policy you want to disable and set *Enforce Policy* to **Off**.
121
+
If you have completed tests and no longer want to have the risk-based policies enabled, return to each policy you want to disable and set **Enforce Policy** to *Off*.
122
122
123
123
## Next steps
124
124
@@ -132,4 +132,4 @@ In this tutorial, you enabled risk-based user policies for Azure AD Identity Pro
132
132
> * Test risk-based policies for user sign-in attempts
133
133
134
134
> [!div class="nextstepaction"]
135
-
> [Learn more about Azure AD Identity Protection](../identity-protection/overview-identity-protection.md
135
+
> [Learn more about Azure AD Identity Protection](../identity-protection/overview-identity-protection.md)
0 commit comments