Is there a playbook to deploy for users to complete MFA if there sign in is detected as being risky

Brass Contributor

Hi, 

Is there a playbook to deploy for users to complete MFA if their sign-in is detected as being risky or suspicious? If it is, how to test it?
4 Replies

@printscreen 

Hey,
Not really sure if this is the answer on your question, but with Azure AD Identity Protection you can create policies based on the sign-in risk or the user risk levels.

This is also integrated with Conditional Access, so you can more specific policies what should happen when a user sign-ins with a specific risk level.

 

You can read more about Identity Protection here

You can read more about risk-based conditional access here

@Pontus Själander, Thanks for your response. I was searching for if we have any automated playbooks to implement in sentinel.

@printscreen Mark user accounts as compromised using Logic Apps. How do you use conditional access to enforce MFA on high-risk accounts?

@printscreen There is a playbook in the Azure Sentinel Github playbook repository, Azure-Sentinel/Playbooks at master · Azure/Azure-Sentinel · GitHub, called "Confirm-AADRiskyUser" that may work for you or at least give you a good starting point.