Protect all users with a user risk policy - not detected

Question

I have the CA policy that this "suggestion" refers to: Protect all users with a user risk policy

https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user

The policy is ON and has not been changed for 2 months, but my score dropped 7 points on 8/20 saying I need to his policy. Says 715 out of 715 users not protected.

Anyone else see this?

Answer 1

Hello @ADM-Griffin2, Jay ,

Welcome to the MS Q&A forum.

Could you kindly share the exact message referring to this event from the overview page and history page? To find more detailed information, navigate over to the Microsoft 365 Defender portal. You can easily see all the changes to your secure score by reviewing the in-depth changes on the history tab.

Example below:

In addition, check if you have any related change events in the Audit logs from the Overview Page by using filter "Service => Identity Protection" and in the "Conditional Access | Audit logs".

Hope above steps should help you resolve your concern.

--------------------------------------------------------

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

Answer 2

That is the exact vulnerability it is warning me about. My implementation status says:

Implementation status
You have 715 users out of 715 that do not have user risk policy enabled.

If I go to Implementation:
Next steps

1. To implement this recommendation, you need Azure Active Directory Premium P2 licenses. Check what Azure Active Directory license you have under “Prerequisites” in Microsoft Secure Score or See your license type under "Basic information" in the Azure Active Directory Overview
2. If you’ve invested in Azure Active Directory Premium P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Note: Classic Conditional Access policies aren’t scored. Use the recommended steps to receive credit. Follow these steps to create a Conditional Access policy from scratch or by using a template
3. If you’re not using Azure Active Directory Premium P2 licenses, we recommend you set the status for this action to “Risk accepted”.

I have the exact CA policy that #2 recommends. I doubled check it. It matches exactly. It is "On" (not reporting).

My theory is this score dropped when I turned off my Identity Protection Policy -- since it duplicated my CA policy. It appears this vulnerability is not correctly evaluating CA policies.

Answer 3

Aug 20, 2022 8:00 PM
7. 00 points regressed for Protect all users with a user risk policy because 715 more users are affected
0/7

This is when I turned my Identity Protection Policy off.

My CA policy has been in place for 2 months. So it picked up I turned off my Identity Protection policy, but it is not picking up my CA policy. The kicker is if you click on the recommendation - the recommended action is to create a CA policy. (which is what I have, but now my score is regressed)

Answer 4

@Olga Os - MSFT -- Turned on the Identity Protection Policy and my score went back up (further evidence this rule is not evaluating the CA policies -- which are the recommendation to resolve)

Aug 23, 2022 8:00 PM
7. 00 points gained by completing Protect all users with a user risk policy. Great work!​

Answer 5

It is May 2023 and this is still a problem. I've had a CA policy in place for more than a month (same as template recommendation) and I've received no credit.

I just turned on the setting within Identity Protection as well. I'll report back by the end of the week once credit is received.