At least one Conditional Access policy enforces Identity Protection user risk for high-risk users
entra_identity_protection_user_risk_enabled
Microsoft Entra Conditional Access has a user risk-based policy that targets All users and All applications, evaluates High user risk, and actively enforces controls requiring both multifactor authentication and a secure password change with an AND condition.
Risk
Without an active High user-risk policy that forces MFA and secure password reset, compromised identities can persist, enabling data exfiltration, tampering, and privilege escalation. Report-only mode or narrow scope leaves gaps, undermining confidentiality and integrity across resources.
prowler m365 --checks entra_identity_protection_user_risk_enabled
Recommendation
Adopt least privilege by enabling an active user-risk policy that:
- covers
Allusers and apps (exclude only break-glass) - triggers on
Highuser risk - requires MFA and a secure password change together
- reauthenticates risky sessions
Pair with sign-in risk policies, ensure MFA registration, and review risky-user reports to validate effectiveness.
Remediation
- Sign in to the Microsoft Entra admin center and go to Protection > Conditional Access > Policies
- Click New policy
- Users or workload identities: select All users
- Target resources (Cloud apps): select All cloud apps
- Conditions > User risk: set Configure to Yes and select High
- Access controls > Grant: select Grant access, then check Require multifactor authentication and Require password change; set Require all selected controls
- Enable policy: On, then click Create
Source Code
Resource Type
NotDefined
References