[AzureAD] WIP refactor of risk-based sign-in tutorial

Author: iainfoulds

articles/active-directory/authentication/media/tutorial-risk-based-sspr-mfa/enable-mfa-registration.png

@@ -1,90 +1,117 @@
 ---
-title: Risk-based MFA and SSPR with Azure Identity Protection
-description: In this tutorial, you will enable Azure Identity Protection integrations, for Multi-Factor Authentication and self-service password reset, to reduce risky behavior.
+title: Risk-based user sign-in protection in Azure Active Directory
+description: In this tutorial, you learn how to enable Azure Identity Protection to protect users when risky sign-in behavior is detected on their account.
 
-services: multi-factor-authentication
+services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: tutorial
-ms.date: 01/31/2018
+ms.date: 05/08/2020
 
 ms.author: iainfou
 author: iainfoulds
 manager: daveba
-ms.reviewer: sahenry
 
-# Customer intent: How, as an Azure AD Administrator, do I utilize Azure AD Identity Protection to better protect the sign-in process.
+# Customer intent: As an Azure AD Administrator, I want to learn how to use Azure Identity Protection to protect users by automatically detecting risk sign-in behavior and prompting for additional forms of authentication or request a password change.
 ms.collection: M365-identity-device-management
 ---
-# Tutorial: Use risk detections to trigger Multi-Factor Authentication and password changes
+# Tutorial: Use risk detections for user sign-ins to trigger Azure Multi-Factor Authentication or password changes
 
-In this tutorial, you will enable features of Azure Active Directory (Azure AD) Identity Protection, an Azure AD Premium P2 feature that is more than just a monitoring and reporting tool. To protect your organization's identities, you can configure risk-based policies that automatically respond to risky behaviors. These policies, can either automatically block or initiate remediation, including requiring password changes and enforcing Multi-Factor Authentication.
+To protect your users, you can configure risk-based policies in Azure Active Directory (Azure AD) that automatically respond to risky behaviors. Azure AD Identity Protection policies can automatically block a sign-in attempt or require additional action, such as require a password change or prompt for Azure Multi-Factor Authentication. These policies work with existing Azure AD Conditional Access policies as an extra layer of protection for org organization. Users may never trigger a risky behavior in one of these policies, but your organization is protected if an attempt to compromise your security is made.
 
-Azure AD Identity Protection policies can be used in addition to existing Conditional Access policies as an extra layer of protection. Your users may never trigger a risky behavior requiring one of these policies, but as an administrator you know they are protected.
-
-Some items that may trigger a risk detection include:
-
-* Users with leaked credentials
-* Sign-ins from anonymous IP addresses
-* Impossible travel to atypical locations
-* Sign-ins from infected devices
-* Sign-ins from IP addresses with suspicious activity
-* Sign-ins from unfamiliar locations
-
-More information about Azure AD Identity Protection can be found in the article [What is Azure AD Identity Protection](../active-directory-identityprotection.md)
+In this tutorial, you learn how to:
 
 > [!div class="checklist"]
-> * Enable Azure MFA registration
+> * Understand the available policies for Azure AD Identity Protection
+> * Enable Azure Multi-Factor Authentication registration
 > * Enable risk-based password changes
 > * Enable risk-based Multi-Factor Authentication
+> * Test risk-based policies for user sign-in attempts
 
 ## Prerequisites
 
-* Access to a working Azure AD tenant with at least a trial Azure AD Premium P2 license assigned.
-* An account with Global Administrator privileges in your Azure AD tenant.
-* Have completed the previous self-service password reset (SSPR) and Multi-Factor Authentication (MFA) tutorials.
+To complete this tutorial, you need the following resources and privileges:
+
+* A working Azure AD tenant with at least an Azure AD Premium P2 trial license enabled.
+    * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* An account with *Global Administrator* privileges.
+* Azure AD configured for self-service password reset and Azure Multi-Factor Authentication
+    * If needed, [complete the tutorial to enable Azure AD SSPR](tutorial-enable-sspr.md).
+    * If needed, [complete the tutorial to enable Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md).
+
+## Overview of Azure AD Identity Protection
+
+Each day, Microsoft collects and analyses trillions of anonymized signals as part of user sign-in attempts. These signals help build patterns of good user sign-in behavior, and identify potential risky sign-in attempts. Azure AD Identity Protection can review user sign-in attempts and take additional action if there's suspicious behavior.
+
+Some of the following actions may trigger Azure AD Identity Protection risk detection:
+
+* Users with leaked credentials.
+* Sign-ins from anonymous IP addresses.
+* Impossible travel to atypical locations.
+* Sign-ins from infected devices.
+* Sign-ins from IP addresses with suspicious activity.
+* Sign-ins from unfamiliar locations.
 
-## Enable risk-based policies for SSPR and MFA
+The following three policies are available in Azure AD Identity Protection to protect users and respond to suspicious activity. You can choose to turn the policy enforcement on or off, select users or groups for the policy to apply to, and if you want to block access at sign-in or prompt for additional action.
 
-Enabling the risk-based policies is a straightforward process. The steps below will guide you through a sample configuration.
+* User risk policy
+    * Identifies and responds to user accounts that may have compromised credentials. Can prompt the user to create a new password.
+* Sign in risk policy
+    * Identifies and responds to suspicious sign-in attempts. Can prompt the user to provide additional forms of verification using Azure Multi-Factor Authentication.
+* MFA registration policy
+    * Makes sure users are registered for Azure Multi-Factor Authentication. If a sign-in risk policy prompts for MFA, the user must already be registered for Azure Multi-Factor Authentication.
 
-### Enable users to register for Multi-Factor Authentication
+When you enable a policy, you can also choose the threshold for risk level - low and above, medium and above, or high. This flexibility lets you decide how aggressive you want to be in enforcing any controls for suspicious sign-in events.
 
-Azure AD Identity Protection includes a default policy that can help you to get your users registered for Multi-Factor Authentication and easily identify the current registration status. Enabling this policy does not start requiring users to perform Multi-Factor Authentication, but will ask them to pre-register.
+For more information about Azure AD Identity Protection, see [What is Azure AD Identity Protection](../identity-protection/overview-identity-protection.md)
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Click on **All services**, then browse to **Azure AD Identity Protection**.
-1. Click on **MFA registration**.
-1. Set Enforce Policy to **On**.
-   1. Setting this policy will require all of your users to register methods to prepare to use by Multi-Factor Authentication.
-1. Click **Save**.
+## Enable MFA registration policy
 
-   ![Require users to register for MFA at sign-in](./media/tutorial-risk-based-sspr-mfa/risk-based-require-mfa-registration.png)
+Azure AD Identity Protection includes a default policy that can help get users registered for Azure Multi-Factor Authentication. If you use additional policies to protect sign-in events, you would need users to have already registered for MFA. When you enable this policy, it doesn't require users to perform MFA at each sign-in event. The policy only checks the registration status for a user and asks them to pre-register if needed.
 
-### Enable risk-based password changes
+It's recommended to enable the MFA registration policy for users that are to be enabled for additional Azure AD Identity Protection policies. To enable this policy, complete the following steps:
 
-Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find username and password pairs. When one of these pairs matches an account in your environment, a risk-based password change can be triggered using the following policy.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a global administrator account.
+1. Search for and select **Azure Active Directory**, select **Security**, then under the *Protect* menu heading choose **Identity Protection**.
+1. Select the **MFA registration policy** from the menu on the left-hand side.
+1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
+1. Under *Controls*, select **Access**. Make sure the option for *Require Azure MFA registration* is checked, then choose **Select**.
+1. Set **Enforce Policy** to *On*, then select **Save**.
 
-1. Click on User risk policy.
-1. Under **Conditions**, select **User risk**, then choose **Medium and above**.
-1. Click "Select" then "Done"
-1. Under **Access**, choose **Allow access**, and then select **Require password change**.
-1. Click "Select"
-1. Set Enforce Policy to **On**.
-1. Click **Save**
+    ![Screenshot of how to require users to register for MFA in the Azure portal](./media/tutorial-risk-based-sspr-mfa/enable-mfa-registration.png)
 
-### Enable risk-based Multi-Factor Authentication
+## Enable user risk policy for password change
 
-Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform a Multi-Factor Authentication to prove that they are really who they say they are. To enable a policy requiring MFA when a risky sign-in is detected, enable the following policy.
+Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find username and password pairs. When one of these pairs matches an account in your environment, a risk-based password change can be requested. This policy and action makes the user update their password before they can sign in to make sure any previously exposed credentials no longer work.
 
-1. Click on Sign-in risk policy
-1. Under **Conditions**, select **User risk**, then choose **Medium and above**.
-1. Click "Select" then "Done"
-1. Under **Access**, choose **Allow access**, and then select **Require multi-factor authentication**.
-1. Click "Select"
-1. Set Enforce Policy to **On**.
-1. Click **Save**
+To enable this policy, complete the following steps:
+
+1. Select the **User risk policy** from the menu on the left-hand side.
+1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
+1. Under *Conditions*, choose  **Select conditions > Select a risk level**, then choose **Medium and above**.
+1. Choose **Select**, then **Done**.
+1. Under *Access*, select **Access**. Make sure the option for **Allow access** and *Require password change* is checked, then choose **Select**.
+1. Set **Enforce Policy** to *On*, then select **Save**.
+
+    ![Screenshot of how to enable the user risk policy in the Azure portal](./media/tutorial-risk-based-sspr-mfa/enable-user-risk-policy.png)
+
+## Enable sign-in risk policy for MFA
+
+Most users have a normal behavior that can be tracked. When they fall outside of this norm, it could be risky to allow them to successfully sign in. Instead, you may want to block that user, or ask them to perform a multi-factor authentication. If the user successfully completes the MFA challenge, you can consider it a valid sign-in attempt and grant access to the application or service.
+
+To enable this policy, complete the following steps:
+
+1. Select the **Sign-in risk policy** from the menu on the left-hand side.
+1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on.
+1. Under *Conditions*, choose  **Select conditions > Select a risk level**, then choose **Medium and above**.
+1. Choose **Select**, then **Done**.
+1. Under *Access*, choose **Select a control**. Make sure the option for **Allow access** and *Require multi-factor authentication* is checked, then choose **Select**.
+1. Set **Enforce Policy** to *On*, then select **Save**.
+
+    ![Screenshot of how to enable the sign-in risk policy in the Azure portal](./media/tutorial-risk-based-sspr-mfa/enable-sign-in-risk-policy.png)
 
 ## Clean up resources
 
-If you have completed testing and no longer want to have the risk-based policies enabled, return to each policy you want to disable, and set **Enforce Policy** to **Off**.
+If you have completed tests and no longer want to have the risk-based policies enabled, return to each policy you want to disable and set *Enforce Policy* to **Off**.
+
+## Next steps