You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,7 +48,7 @@ Microsoft recommends the below risk policy configurations to protect your organi
48
48
- User risk policy
49
49
- Require a secure password reset when user risk level is **High**. Azure AD MFA is required before the user can create a new password with SSPR to remediate their risk.
50
50
- Sign-in risk policy
51
-
- Require Azure AD MF when sign-in risk level is **Medium** or **High**, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.
51
+
- Require Azure AD MFA when sign-in risk level is **Medium** or **High**, allowing users to prove it's them by using one of their registered authentication methods, remediating the sign-in risk.
52
52
53
53
Requiring access control when risk level is low will introduce more user interrupts. Choosing to block access rather than allowing self-remediation options, like secure password reset and multi-factor authentication, will impact your users and administrators. Weigh these choices when configuring your policies.
54
54
@@ -127,16 +127,18 @@ If you already have risk policies enabled in Identity Protection, we highly reco
127
127
128
128
129
129
130
-
1. Create an equivalent risk policy in [Conditional Access in report-only mode](#enable-policies).
131
-
1. Ensure that the new Conditional Access risk policy works as expected by testing it in [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md).
132
-
1. Enable the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.
130
+
### Migrating to Conditional Access
131
+
132
+
1. **Create**[a risk-based policy](#enable-policies) in Conditional Access in report-only mode. You can do this with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md#common-conditional-access-policies).
133
+
1. Ensure that the new Conditional Access risk policy works as expected by testing it in [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md).
134
+
1. **Enable** the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.
133
135
1. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**.
134
136
1. Select this new policy to edit it.
135
137
1. Set **Enable policy** to **On** to enable the policy
136
-
1. Disable the old risk policies in Identity Protection.
138
+
1. **Disable** the old risk policies in Identity Protection.
137
139
1. Browse to **Azure Active Directory** > **Identity Protection** > Select the **User risk** or **Sign-in risk** policy.
138
140
1. Set **Enforce policy** to **Off**
139
-
1. Create other risk policies if needed in Conditional Access.
141
+
1. Create other risk policies if needed in [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md).
0 commit comments