Both risk policies and sign-in risk policies are almost identical in what they do. They both have the ability to allow or block access to Azure AD based on risk.
User Risk Policy - You can block or allow access and require a password change.
Sign-In Risk Policy You can block or allow access and require Multi-Factor Authentication.
Below are steps on how to configure User Risk and Sign-in Risk policies. Since the steps are identical for both I will be showing how to User Risk policy can be configured and modified.
REQUIREMENTS:
- You need to be a member of the following groups:
- Security Reader, Security Operator, Global Reader, or Global Administrator.
- Azure AD Identity Protection requires one of the following subscriptions:
- Azure AD Premium P2, Enterprise Mobility + Security E5, or Microsoft 365 E5
IMPORTANT:
- It is highly recommended to have a break glass account that you specifically exclude from the policy to ensure you can continue to gain access. A break glass account will only ever be used to regain access to your Microsoft 365 environment should you ever become locked out.
STEPS:
- Log in to the Azure portal http://portal.azure.com
- Search for Azure AD Identity Protection and select it.
- Under Protect option, select User risk policy.
- You will now see options to configure the policy.
- Under Users, you have a choice to include All Users or select certain users or groups. You can also exclude specific users.
- Make your required selections and click Done.
- Next, under User risk, you have the option to select a risk level that will be applied to the policy.
- Microsoft recommends setting the user risk policy to High and the sign-in risk policy to Medium or higher.
- Select your configuration then click Done to accept your settings.
Now we need to choose whether we are going to allow or block access when this risk policy generates a match. We can also enforce users to complete a password reset.
- Under Control, Select Block access. To the right of your screen, you should see the Access page come up to make your changes. Once you are satisfied with your selection, select Done.
- Set the Enforce Policy option to On and click Save.