Get started with Azure AD Identity Protection

A first look at a customer can be like the picture below. A lot of risky users to take care of. Before you activate Microsoft Azure AD Identity Protection there is some necessary step that need to be configured.

What settings can you configure in Identity Protection?

User risk policy
Sign-in risk policy
MFA registration policy
Notify: Users at risk detected alerts
Notify: Weekly digest

User risk policy

Assignments: First select a group of users. This group can be an static group and members of the pilot users. When the pilot is done is better to change the group to dynamic and add all users with an Azure AD Premium 2 license. Read more how you can archive that in this blog post.

https://cloudtech.nu/2020/02/13/use-azure-ad-dynamic-groups-based-on-serviceplanid/

Conditions: User risk = High. A good start is to start with High. Then you can lower the settings to Medium later on.

Controls: Require password change

Review: Before enabled this policy you can estimate how many users that are affected.

Sign-in risk policy

https://cloudtech.nu/2020/02/13/use-azure-ad-dynamic-groups-based-on-serviceplanid/

Conditions: Sign-in risk = High. A good start is to start with High. Then you can lower the settings to Medium later on.

Controls: Access can be set to Blocked or Require multi-factor authentication.

Review: Before enabled this policy you can estimate how many users that are affected.

Multi-factor authentication registration policy

Why is this settings important?
If the user is not registered for MFA or SSPR by the new security information experience then a user hit the score high-risk user their is not able to sign-in before the password is changed from the Azure AD portal. So configure this setting so all users is registered to change their own password. Before to push this settings it can be a good idea to share this link to all users and register them before the got required to do that.
https://aka.ms/SetupSecurityInfo