Sign-in Risk Policy [CHK-1334]
This check verifies if a policy is set for sign-in risks (Sign-In risk policies).
Rationale
Two-factor authentication (MFA) adds an extra layer of security on top of username and password. Microsoft's Sign-In Risk policies recognize risky sign-in attempts, indicating a login not performed by the legitimate owner of the account. At those times, MFA can be enforced, making it more complicated for someone with stolen login credentials to sign in from anywhere in the world.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Entra ID portal at https://entra.microsoft.com
- Go to Conditional Access > Policies
- Click "New policy"
- Name the policy "Attic - Sign-in risk policy"
- Under "Assignments > Users", select "All users"
- Under "Assignments > Cloud apps", select "All cloud apps"
- Under "Conditions > Sign-in risk", set to "Yes" and select risk levels (Medium and high, or High only)
- Under "Access controls > Grant", select "Grant access" and check "Require multifactor authentication"
- Set "Enable policy" to "On"
- Click "Create"
Impact
This check has three possible outcomes:
- Okay: At least 1 Sign-In Risk policy with the correct settings is found.
- Warning: No Sign-In Risk policy is set yet.
- Notice: You do not have a license to set the Sign-In Risk policy.
If the output is Warning, we advise enabling the SignInRiskPolicy.
More Information
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 1.1.9 - (L2) Enable Azure AD Identity Protection sign-in risk policies