Is there a playbook to deploy for users to complete MFA if there sign in is detected as being risky

%3CLINGO-SUB%20id%3D%22lingo-sub-2070936%22%20slang%3D%22en-US%22%3EIs%20there%20a%20playbook%20to%20deploy%20for%20users%20to%20complete%20MFA%20if%20there%20sign%20in%20is%20detected%20as%20being%20risky%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070936%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CDIV%3EIs%20there%20a%20playbook%20to%20deploy%20for%20users%20to%20complete%20MFA%20if%20their%20sign-in%20is%20detected%20as%20being%20risky%20or%20suspicious%3F%20If%20it%20is%2C%20how%20to%20test%20it%3F%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2071721%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20playbook%20to%20deploy%20for%20users%20to%20complete%20MFA%20if%20there%20sign%20in%20is%20detected%20as%20being%20ri%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2071721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%2C%3CBR%20%2F%3ENot%20really%20sure%20if%20this%20is%20the%20answer%20on%20your%20question%2C%20but%20with%20Azure%20AD%20Identity%20Protection%20you%20can%20create%20policies%20based%20on%20the%20sign-in%20risk%20or%20the%20user%20risk%20levels.%3C%2FP%3E%3CP%3EThis%20is%20also%20integrated%20with%20Conditional%20Access%2C%20so%20you%20can%20more%20specific%20policies%20what%20should%20happen%20when%20a%20user%20sign-ins%20with%20a%20specific%20risk%20level.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20read%20more%20about%20Identity%20Protection%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-configure-risk-policies%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FP%3E%3CP%3EYou%20can%20read%20more%20about%20risk-based%20conditional%20access%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-risk%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2071951%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20playbook%20to%20deploy%20for%20users%20to%20complete%20MFA%20if%20there%20sign%20in%20is%20detected%20as%20being%20ri%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2071951%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F97603%22%20target%3D%22_blank%22%3E%40Pontus%20Sj%C3%A4lander%3C%2FA%3E%2C%20Thanks%20for%20your%20response.%20I%20was%20searching%20for%20if%20we%20have%20any%20automated%20playbooks%20to%20implement%20in%20sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2072879%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20playbook%20to%20deploy%20for%20users%20to%20complete%20MFA%20if%20there%20sign%20in%20is%20detected%20as%20being%20ri%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2072879%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3BMark%20user%20accounts%20as%20compromised%20using%20Logic%20Apps.%20How%20do%20you%20use%20conditional%20access%20to%20enforce%20MFA%20on%20high-risk%20accounts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2074326%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20playbook%20to%20deploy%20for%20users%20to%20complete%20MFA%20if%20there%20sign%20in%20is%20detected%20as%20being%20ri%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2074326%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%20target%3D%22_blank%22%3E%40printscreen%3C%2FA%3E%26nbsp%3BThere%20is%20a%20playbook%20in%20the%20Azure%20Sentinel%20Github%20playbook%20repository%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel%2FPlaybooks%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20%C2%B7%20GitHub%3C%2FA%3E%2C%20called%20%22Confirm-AADRiskyUser%22%20that%20may%20work%20for%20you%20or%20at%20least%20give%20you%20a%20good%20starting%20point.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi, 

Is there a playbook to deploy for users to complete MFA if their sign-in is detected as being risky or suspicious? If it is, how to test it?
4 Replies

@printscreen 

Hey,
Not really sure if this is the answer on your question, but with Azure AD Identity Protection you can create policies based on the sign-in risk or the user risk levels.

This is also integrated with Conditional Access, so you can more specific policies what should happen when a user sign-ins with a specific risk level.

 

You can read more about Identity Protection here

You can read more about risk-based conditional access here

@Pontus Själander, Thanks for your response. I was searching for if we have any automated playbooks to implement in sentinel.

@printscreen Mark user accounts as compromised using Logic Apps. How do you use conditional access to enforce MFA on high-risk accounts?

@printscreen There is a playbook in the Azure Sentinel Github playbook repository, Azure-Sentinel/Playbooks at master · Azure/Azure-Sentinel · GitHub, called "Confirm-AADRiskyUser" that may work for you or at least give you a good starting point.