High Risk Users Shall Be Blocked
Description
Azure AD Identity Protection uses various signals to detect the risk level for each user and determine if an account has likely been compromised. Users who are determined to be high risk are to be blocked from accessing the system via Conditional Access until an administrator remediates their account.
Policy
Users detected as high risk shall be blocked.
Notifications will be sent to admins when high-risk users are detected.
Licensing Considerations
Azure AD P2. Can be purchased standalone or part of the following bundles:
EMS + E5
Microsoft 365 E3
Microsoft 365 E5
Set Up Instructions
Create a conditional access policy for Sign-In risk: Risk policies - Azure Active Directory Identity Protection - Microsoft Entra | Microsoft Learn
Under Access Controls> Grant, select Block Access
To Create notifications for admins: Azure Active Directory Identity Protection notifications - Microsoft Entra | Microsoft Learn
Identity Protection Overview: Azure Active Directory Identity Protection notifications - Microsoft Entra | Microsoft Learn
End-User Impact
Level: High
Once a respective conditional access policy is implemented, if a high-risk user attempts to login, the user will receive an error message with instructions to contact the administrator to re-enable their access.
Tips
Integrate the notifications into your ticketing system vs a single administrator.
Investigate the risk event following these steps: Investigate risk Azure Active Directory Identity Protection - Microsoft Entra | Microsoft Learn
PowerShell Scripts
Conditional Access Policies as Code: Azure-Samples/azure-ad-conditional-access-apis: Use Conditional Access Graph APIs to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies. (github.com)
Videos
Last updated
