In my previous blog post, I explained how to set up sign-in risk-based Azure conditional access policy. This article can be accessed using this link. As I explained in the article, sign-in risk is calculating based on user access behavior. If the user access behavior is flagged as risky, most probably the user account is also compromised. Most of the time, these compromised accounts are sold or shared on the dark web. Now with help of Microsoft, we can check if the corporate accounts are appearing in risky places. Microsoft uses various sources to identify risky user accounts. Such as,
- Public paste sites
- Dark web research groups
- Law enforcement agencies
We can use Azure conditional access policies to verify if the sign-in request is coming from a known compromised account. User account risks are calculated offline, which means it can take 2- 24 hours to appear in reports.
Let’s go ahead and see how we can create a user risk-based Azure conditional access policy.
Configure Azure conditional access policy
1. Log in to Azure Portal (https://portal.azure.com/) as Global / Security / Conditional Access Administrator
2. Then go to Azure Active Directory
3. On the Azure Active Directory page click on Security
4. On the Security Home page, click on Conditional Access
5. Then click on + New Policy