iCompaas Support

Description:

Requiring Multi-Factor Authentication (MFA) for risky sign-ins in Azure Active Directory (AAD) ensures that when Azure detects potentially suspicious or risky sign-in attempts, the user is prompted for additional authentication before being granted access. This policy helps protect against attacks like credential stuffing, phishing, and account compromise, adding an extra layer of security when suspicious activity is detected.

Rationale:

Risky sign-ins represent attempts that may come from unfamiliar locations, devices, or unusual sign-in patterns that could indicate potential security threats. By enforcing MFA for these high-risk scenarios, organizations can reduce the likelihood of unauthorized access, even if an attacker has compromised the user’s credentials. This approach helps strengthen security by protecting user accounts based on behavioral patterns and risk levels rather than relying solely on the standard authentication process.

Impact:

Enabling MFA for risky sign-ins will significantly improve security by requiring users to authenticate using additional methods when suspicious activity is detected. However, it may increase user friction since they will be prompted for MFA more frequently when their sign-in is classified as risky. This policy should be monitored to ensure it doesn't disrupt legitimate users while effectively protecting against potential threats.

Default Value:

By default, MFA for risky sign-ins is not enabled. It must be manually configured in Azure AD under Conditional Access policies.

Pre-requisites:

• Azure Active Directory (AAD) subscription.
  

• Global Administrator or Conditional Access Administrator permissions.
  

• MFA must be enabled for users in your organization.
  

• Risk-based Conditional Access policies are available with Azure AD Premium P2.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Conditional Access Administrator.
   

2. Navigate to Azure Active Directory > Security > Conditional Access.
   

3. Ensure that the Conditional Access Policy for MFA on risky sign-ins is configured.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator privileges.
     

2. Navigate to Conditional Access Policies:
   

   • In the Azure portal, go to Azure Active Directory > Security > Conditional Access.
     

3. Create a New Conditional Access Policy:
   

   • Click + New Policy to create a new Conditional Access policy.
     

   • Name the policy (e.g., "MFA for Risky Sign-ins").
     

4. Define Policy Scope:
   

   • Under Assignments > Users and groups, select the users or groups to which the policy will apply (e.g., All Users or Privileged Users).
     

   • Under Cloud apps or actions, choose All cloud apps or select specific apps to which the policy will apply.
     

5. Configure the Policy to Require MFA for Risky Sign-ins:
   

   • Under Conditions > Sign-in risk, select Yes to enable the Sign-in risk condition.
     

   • Set the risk level to High or Medium (or both, depending on your preference). This ensures that MFA will be triggered for high-risk sign-ins.
     

   • Under Access controls, select Grant > Grant access and check the box for Require multi-factor authentication.
     

   • This configuration ensures that when a risky sign-in is detected, the user is required to perform MFA to authenticate.
     

6. Enable the Policy:
   

   • After configuring the policy, select Enable policy to activate the rule.
     

   • Optionally, configure the policy to be in Report-only mode first to monitor the impact before enforcement.
     

7. Test and Monitor:
   

   • Test the policy by simulating risky sign-ins (e.g., using a different IP address, device, or location).
     

   • Verify that MFA is triggered when the sign-in is classified as risky.
     

   • Use Azure AD Sign-in Logs to monitor risky sign-ins and ensure that MFA is being enforced properly.
     

8. Review and Adjust:
   

   • Monitor Sign-in logs regularly to review how users are being impacted by the policy and ensure that legitimate users aren’t being unnecessarily challenged by MFA.
     

   • Adjust the risk levels and conditions as needed based on the results and your organization’s security posture.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator privileges.
     

2. Navigate to Conditional Access Policies:
   

   • Go to Azure Active Directory > Security > Conditional Access.
     

3. Disable or Remove the Policy:
   

   • Locate the Conditional Access policy you created to enforce MFA for risky sign-ins.
     

   • Either disable the policy by toggling the Enable policy option to No, or delete the policy entirely.
     

4. Test Reverted Access:
   

   • After disabling or removing the policy, test the sign-in process to ensure that risky sign-ins are no longer subject to MFA.
     

   • Verify that sign-ins from risky locations or devices are allowed without MFA.
     

5. Review Access Logs:
   

   • Review the sign-in logs to ensure that MFA enforcement for risky sign-ins has been successfully disabled or reverted.
     

References:

• Azure AD Conditional Access - Risk-based Conditional Access
  

• Configure Conditional Access Policies in Azure