User Risk Policy Check [CHK-1336]

Rationale

The User Risk Policy function identifies potentially compromised accounts by monitoring deviations from normal user behavior. Automatic actions, such as forcing a password change, can be triggered based on the risk level. This measure aligns with the CIS M365 1.1.10 - Enable Azure AD Identity Protection user risk policies.

Fix

An automated fix is available through Attic.

Manual steps:

1. Navigate to Entra ID portal at https://entra.microsoft.com
2. Go to Conditional Access > Policies
3. Click "New policy"
4. Name the policy "Attic - User risk policy"
5. Under "Assignments > Users", select "All users"
6. Under "Assignments > Cloud apps", select "All cloud apps"
7. Under "Conditions > User risk", set to "Yes" and select risk levels (Medium and high, or High only)
8. Under "Access controls > Grant", select "Grant access" and check "Require multifactor authentication" and "Require password change"
9. Set "Enable policy" to "On"
10. Click "Create"

Impact

The check has three possible outcomes:

• Okay: At least 1 User Risk policy with the correct settings is found.
• Warning: No User Risk policy is set yet.
• Notice: You do not have a license to set the User Risk policy.

If the output is Warning, enabling the UserRiskPolicy is advised.

More Information

For more details, visit the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark.