• 3 minutes

Microsoft Entra ID Protection is a cloud-based service that helps organizations protect their identities and access from various types of threats. It uses advanced machine learning and artificial intelligence to detect and respond to risky or anomalous user and sign-in behaviors. It also provides tools and guidance for administrators to investigate and remediate identity-related incidents.

By enabling Microsoft Entra ID Protection, organizations can:

• Get a combined view of flagged users and risk events that machine learning algorithms detected.
• Implement risk-based Conditional Access policies to automatically protect its users.
• Improve their security posture by acting on vulnerabilities proactively rather than just acting after cyber attacks occur.

One of the key features of Microsoft Entra ID Protection is the ability to define and enforce policies that apply adaptive access controls based on the level of risk detected. These policies can help prevent or limit the impact of identity compromise, such as account takeover, credential theft, phishing, or malware attacks.

The following sections introduce the three default Microsoft Entra ID Protection policies that administrators can choose to enable:

User risk policy

User risk is the probability that an attacker compromised a user's identity. Various factors can influence user risk. For example, the user's password strength, the user's activity patterns, the user's device health, and the user's sign-in locations. Microsoft Entra ID Protection can calculate what it believes is normal for a user's behavior. It then uses that information as the basis for decisions concerning user risk. User risk is a calculation of probability that a user has a compromised identity.

The User Risk policy is a policy that applies to users who have been detected as having a high probability of being compromised. This policy can help prevent attackers from using compromised credentials to access sensitive resources or data. The User Risk policy works by requiring users to perform a password reset or a multifactor authentication (MFA) challenge before they can access any application or service. This way, the policy can verify the identity of the user and block any unauthorized access attempts.

You can configure the User Risk policy to apply to all users or to specific groups of users. You can also customize it to include or exclude certain applications or services from the policy scope. For example, an administrator can exclude low-risk applications or services that don't contain sensitive data or resources.

Organizations should enable the User Risk policy when they want to enhance their security posture and protect their users from identity compromise. The User Risk policy can help reduce the risk of data breaches, identity theft, or account takeover by requiring users to verify their identity and change their password when they're detected as being risky or having been leaked.

Sign-in risk policy

Sign-in risk is the probability that a sign-in attempt is malicious or anomalous. Various factors can influence sign-in risk. For example, the sign-in location, the sign-in device, the sign-in network, and the sign-in time. Microsoft Entra ID Protection analyzes signals from each sign-in, both real-time and offline. It then calculates a risk score based on the probability the user didn't perform the sign-in.

The Sign-in Risk policy is a policy that applies to sign-in attempts that have been detected as having a high probability of being malicious or anomalous. This policy can help prevent attackers from using stolen or leaked credentials, compromised devices, or spoofed locations to sign in to applications or services. The Sign-in Risk policy works by requiring users to perform a multifactor authentication challenge or blocking the sign-in attempt altogether, depending on the level of risk detected. By doing so, the policy can verify the identity of the user and prevent any unauthorized sign-in attempts.

You can configure the Sign-in Risk policy to apply to all users or to specific groups of users. You can also customize to include or exclude certain applications or services from the policy scope. For example, an administrator can include high-risk applications or services that contain sensitive data or resources.

Organizations should enable the Sign-in Risk policy when they want to enhance their security posture and protect their applications and services from unauthorized access. The Sign-in Risk policy can help reduce the risk of data breaches, identity theft, or account takeover by requiring users to verify their identity and blocking malicious or anomalous sign-in attempts.

Multifactor Authentication (MFA) registration policy

MFA registration is the process of setting up a second factor of authentication for a user account. A second factor of authentication is something the user has or knows that can be used to verify the user's identity in addition to their password. Some examples of commonly used second factors include a phone, an email, a code, or a biometric. MFA registration can improve the security of user accounts by making it harder for attackers to access them using only the password.

Microsoft Entra ID Protection can help organizations roll out Microsoft Entra multifactor authentication. It does so by using a Conditional Access policy requiring registration at sign-in. The MFA Registration policy is a policy that applies to users who haven't registered for multifactor authentication. This policy can help increase the adoption of MFA and improve the security of user accounts. Enabling this policy is a great way to ensure new users in your organization register for MFA on their first day. MFA is one of the self-remediation methods for risk events within Identity Protection. Self-remediation allows your users to take action on their own to reduce helpdesk call volume.

The MFA Registration policy works by requiring users to register for MFA when they sign in to any application or service. This way, the policy can ensure that users have a second factor of authentication available in case they need to verify their identity or reset their password.

You can configure the MFA Registration policy to apply to all users or to specific groups of users. You can also customize it to include or exclude certain applications or services from the policy scope. For example, an administrator can exclude applications or services that don't support MFA or that have their own MFA mechanisms.

Organizations should enable the MFA Registration policy when they want to increase the adoption of MFA and improve the security of user accounts. The MFA Registration policy can help reduce the risk of data breaches, identity theft, or account takeover by requiring users to register for MFA and have a second factor of authentication available.

Turn on default Microsoft Entra ID Protection policies

Microsoft Entra ID Protection turns off all three policies by default. To turn on each policy required by your organization, complete the following steps:

1. Sign into the Microsoft 365 admin center with a Global Administrator account.
2. In the Microsoft 365 admin center, in the left-hand navigation pane, select Show all.
3. In the left-hand navigation pane, under Admin centers, select Identity.
4. In the Microsoft Entra admin center, in the left-hand navigation pane, select Identity, select Protection, and then select Identity Protection.
5. On the Identity Protection | Dashboard page, the system displays the three default policies in the middle navigation pane under the Protect section (User risk policy, Sign-in risk policy, and Multifactor authentication registration policy). Select each of the three policies that your organization wants to enforce, and on its policy page, toggle the Policy enforcement switch to Enabled.