Added policy migration guidance

tracyshi · web-flow · commit 7b1bc171272e · 2022-09-22T20:14:30.000-07:00
Added specific steps and images for migrating policies from Identity Protection to CA.
diff --git a/articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md b/articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md
@@ -22,7 +22,7 @@ As we learned in the previous article, [Identity Protection policies](concept-id
 - Sign-in risk policy
 - User risk policy
 
-![Risk conditions in Conditional Access](./media/howto-identity-protection-configure-risk-policies/CA-risk-policies.png)
+![Risk conditions in Conditional Access](./media/howto-identity-protection-configure-risk-policies/CA-risk-conditions.png)
 
 ## Choosing acceptable risk levels
 
@@ -110,7 +110,7 @@ Before organizations enable remediation policies, they may want to [investigate]
 1. Confirm your settings and set **Enable policy** to **On**.
 1. Select **Create** to create to enable your policy.
 
-### Migrate Identity Protection risk policies to Conditional Access
+## Migrate risk policies from Identity Protection to Conditional Access
 
 While Identity Protection also provides two risk policies with limited conditions, we highly recommend setting up risk-based policies in Conditional Access for the following benefits:
 
@@ -126,6 +126,88 @@ If you already have risk policies enabled in Identity Protection, we highly reco
 4.	Disable the old risk policies in Identity Protection.
 5.	Create additional risk policies if needed in Conditional Access.
 
+Specific steps for the migration are listed below.
+
+### Migrate User risk policy to Conditional Access
+
+Example
+
+![Migrate user risk policy to Conditional Access](./media/howto-identity-protection-configure-risk-policies/user-risk-policy-migration-to-CA.png)
+
+#### Step 1 Create an equivalent user risk policy in Report-only mode Conditional Access
+1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
+2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+3. Select **New policy**.
+4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+5. Under **Assignments**, select **Users or workload identities**.
+   1. Under **What does this policy apply to?**, select **Users and groups**
+   2. Under **Include**, select users and groups that are included in your current user risk policy in Identity Protection
+   3.  Under **Exclude**, select select users and groups that are excluded from your current user risk policy
+   4. Select **Done**.
+6. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
+7. Under **Conditions** > **User risk**, set **Configure** to **Yes**. 
+   1. Under **Configure user risk levels needed for policy to be enforced**, select the risk levels that match the configuration in your current user risk policy
+   1. Select **Done**.
+8. Under **Access controls** > **Grant**.
+   1. Select **Grant access**, select the access control that matches the configuration in your current user risk policy
+   1. Select **Select**.
+9. Under **Session**.
+   1. Select **Sign-in frequency**.
+   1. Ensure **Every time** is selected.
+   1. Select **Select**.
+10. Confirm your settings, and set **Enable policy** to **Report-only**.
+11. Select **Create** to create to enable your policy in Report-only mode.
+12. Test your new Conditional Access policy in Report-only mode to ensure that it is working as expected
+
+#### Step 2 Enable the new Conditional Access user risk policy
+13. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**. 
+14. Select this new policy to edit it.
+15. Set **Enable policy** to **On** to turn the policy on
+
+#### Step 3 Turn off your old user risk policy in Identity Protection
+16. Browse to **Azure Active Directory** > **Identity Protection** > **User risk policy**  
+17. Set **Enforce policy** to **Off**
+
+
+### Migrate Sign-in risk policy to Conditional Access
+
+Example
+
+![Migrate sign-in risk policy to Conditional Access](./media/howto-identity-protection-configure-risk-policies/sign-in-risk-policy-migration-to-CA.png)
+
+1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Conditional Access Administrator.
+2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+3. Select **New policy**.
+4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+5. Under **Assignments**, select **Users or workload identities**.
+   1. Under **What does this policy apply to?**, select **Users and groups**
+   2. Under **Include**, select users and groups that are included in your current sign-in risk policy in Identity Protection
+   3. Under **Exclude**, select users and groups that are excluded from your current sign-in risk policy
+   4. Select **Done**.
+6. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
+7. Under **Conditions** > **Sign-in risk**, set **Configure** to **Yes**. 
+   1. Under **Select the sign-in risk level this policy will apply to**. Select the risk levels that match the configuration in your current sign-in risk policy
+   1. Select **Done**.
+8. Under **Access controls** > **Grant**.
+   1. Select **Grant access**, select the access control that matches the configuration in your current sign-in risk policy
+   1. Select **Select**.
+9. Under **Session**.
+   1. Select **Sign-in frequency**.
+   1. Ensure **Every time** is selected.
+   1. Select **Select**.
+10. Confirm your settings and set **Enable policy** to **Report-only**.
+11. Select **Create** to create to enable your policy.
+
+#### Step 2 Enable the new Conditional Access sign-in risk policy
+13. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**. 
+14. Select this new policy to edit it.
+15. Set **Enable policy** to **On** to turn the policy on
+
+#### Step 3 Turn off your old sign-in risk policy in Identity Protection
+16. Browse to **Azure Active Directory** > **Identity Protection** > **Sign-in risk policy**  
+17. Set **Enforce policy** to **Off**
+
+
 ## Next steps
 
 - [Enable Azure AD Multi-Factor Authentication registration policy](howto-identity-protection-configure-mfa-policy.md)
