Skip to content

Commit

Permalink
Merge pull request #5936 from MicrosoftDocs/MicrosoftGuyJFlo-patch-84
Browse files Browse the repository at this point in the history
Update policy from include
  • Loading branch information
prmerger-automator[bot] authored Nov 12, 2024
2 parents 8609781 + 1c37385 commit 33129e9
Showing 1 changed file with 15 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -64,18 +64,26 @@ To make sure that your policy works as expected, the recommended best practice i

### Policy 3: Sign-in frequency control every time risky user

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Protection** > **Conditional Access** > **Policies**.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Protection** > **Conditional Access**.
1. Select **New policy**.
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
1. Under **Assignments**, select **Users or workload identities**.
1. Under **Include**, select **All users**.
1. Under **Exclude**, select **Users and groups** and choose your organization's [emergency access or break-glass accounts](~/identity/role-based-access-control/security-emergency-access.md).
1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
1. Select **Done**.
1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.
1. Under **Conditions** > **User risk**, set **Configure** to **Yes**. Under **Configure user risk levels needed for policy to be enforced** select **High**, then select **Done**.
1. Under **Access controls** > **Grant**, select **Grant access**, **Require password change**, and select **Select**.
1. Under **Session controls** > **Sign-in frequency**, select **Every time**.
1. Under **Cloud apps or actions** > **Include**, select **All resources (formerly 'All cloud apps')**.
1. Under **Conditions** > **User risk**, set **Configure** to **Yes**.
1. Under **Configure user risk levels needed for policy to be enforced**, select **High**. [This guidance is based on Microsoft recommendations and might be different for each organization](../../id-protection/howto-identity-protection-configure-risk-policies.md#choosing-acceptable-risk-levels)
1. Select **Done**.
1. Under **Access controls** > **Grant**, select **Grant access**.
1. Select **Require authentication strength**, then select the built-in **Multifactor authentication** authentication strength from the list.
1. Select **Require password change**.
1. Select **Select**.
1. Under **Session**.
1. Select **Sign-in frequency**.
1. Ensure **Every time** is selected.
1. Select **Select**.
1. Confirm your settings and set **Enable policy** to **Report-only**.
1. Select **Create** to create to enable your policy.

Expand Down

0 comments on commit 33129e9

Please sign in to comment.