Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 02: Create a high sign-in risk policy

Security Architecture Team

  1. Have the team enable a User risk policy to automatically require users with detected high-risk accounts to securely reset their passwords and re-authenticate.

  2. Enable Sign-in risk policy to block or challenge sign-ins identified as high-risk based on suspicious or anomalous login behavior.

Security Engineering and Administration

01: Set up user risk policy

  1. In a new browser tab, go to entra.microsoft.com.

  2. In the leftmost pane, go to ID Protection > Risk-based Conditional Access.

    uufhr9ds.jpg

  3. On the top bar, select New policy.

    ge3pc7t1.jpg

  4. For Name, enter User risk policy.

  5. Under Users, select 0 users and groups selected.

    1. Under the Include tab, select Select users and groups > Users and groups.

      klskz047.jpg

    2. In Select users and groups, search for and select XDR-Pilot-Group.

    3. At the bottom of the pane, select Select.

  6. Under Target resources, select No target resources selected.

    • Under the Include tab, select All resources.

  7. Under Conditions, select 0 conditions selected.

    1. Under User risk, select Not configured.

      xl9juw9k.jpg

    2. In the flyout pane, select Yes, select High, then select Done.

      ybx7sxjc.jpg

  8. Under Grant, select 0 controls selected.

    • In the flyout pane, select Block access, then select Select.

  9. Under Enable policy, select On.

    In production, you should always test policies in Report-only first.

  10. Select Create.

    ws9gop1y.jpg

02: Set up sign-in risk policy

  1. On the top bar, select New policy again.

    ge3pc7t1.jpg

  2. For Name, enter Sign-in risk policy.

  3. Under Users, select 0 users and groups selected.

    1. Under the Include tab, select Select users and groups > Users and groups.

      f8uizfny.jpg

    2. In Select users and groups, search for and select XDR-Pilot-Group.

    3. At the bottom of the pane, select Select.

  4. Under Target resources, select No target resources selected.

    • Under the Include tab, select All resources.

  5. Under Conditions, select 0 conditions selected.

    1. Under Sign-in risk, select Not configured.

      oj96336l.jpg

    2. In the flyout pane, select Yes, select High, then select Done.

      mobxi5ja.jpg

  6. Under Grant, select 0 controls selected.

    • In the flyout pane, select Block access, then select Select.

  7. Under Enable policy, select On.

    In production, you should always test policies in Report-only first.

  8. Select Create.

    o7k9fr5o.jpg

    Policies may take 5-10 minutes to propagate.

SOC Analyst

  1. In a new browser tab, go to entra.microsoft.com.

  2. In the leftmost pane, go to ID Protection > Dashboard.

  3. On the Identity Protection page’s menu, under Report, select Risky users.

  4. On the Identity Protection page’s menu, under Report, select Risky sign-ins.

    if any risky users or sign-ins are found, confirm the Risk state column shows access was Blocked or Remediation required.