Microsoft Entra tenant with unsecure configuration of user risk policy
Cayosoft Threat Definition CTD-000101
Tune into Guardians of the Directory Podcast.
Stop AD Threats As They Happen
Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
If the user risk policy is missing or too permissive, compromised accounts can continue authenticating. Microsoft recommends requiring a secure password change when user risk is High, with MFA before password writeback.
- Severity: Medium
- Platform: Entra ID
- Category: Account protection, Tenant-wide
- MITRE ATT&CK Tactics: Credential Access
- MITRE D3FEND Tactics: Application Configuration Hardening
Description
Identity Protection analyzes signals (e.g., risky sign-ins, leaked credentials) to calculate a user risk level. Administrators can enforce access controls via Conditional Access based on user risk, including blocking access or allowing access only after a secure password change. Requiring a secure password change remediates user risk and closes the risky user event, reducing alert noise for administrators.
Real-World Scenario
An attacker obtains a user’s credentials from a public dump. Identity Protection flags the account as High user risk, but the tenant lacks a Conditional Access user risk policy requiring a secure password change. The attacker keeps accessing Exchange Online and SharePoint while the risk remains open, exfiltrating sensitive files. Helpdesk resets the password without MFA-backed proof of possession, and the attacker quickly re-enters via a remembered session token. Cayosoft Guardian detects CTD-000101 and alerts the team so they can enforce a High-risk password change policy and contain the breach.
Stop Privilege Escalation—Then Undo It with Cayosoft Guardian
Real-time alerts across AD & Entra ID with one-click rollback.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) Open All Alerts and search for CTD-000101 or “Microsoft Entra tenant with unsecure configuration of user risk policy.”
3.) Open any alert and Click for details (from Raise Threat Alert action).
Remediation Steps
To create a user risk policy in Conditional Access:
- ) Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- ) Browse to Protection > Conditional Access.
- ) Select New policy.
- ) Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- ) Under Assignments, select Users.
- ) Under Include, select All users.
- ) Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
- ) Select Done.
- ) Under Target resources > Include, select All cloud apps.
- ) Under Conditions > User risk, set Configure to Yes.
- ) Under Configure user risk levels needed for policy to be enforced, select High. (This guidance is based on Microsoft recommendations and may be different for each organization).
- ) Select Done.
- ) Under Access controls > Grant.
- ) Select Grant access, Require multifactor authentication and Require password change.
- ) Select Select.
- ) Under Session.
- ) Select Sign-in frequency.
- ) Ensure Every time is selected.
- ) Select Select.
- ) Confirm your settings and set Enable policy to On.
- ) Select Create to create to enable your policy.
How to Prevent It
Cayosoft Guardian can proactively detect and alert on Microsoft Entra tenant with unsecure configuration of user risk policy. It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for 200+ misconfigurations, providing early warning before attackers can exploit them.
FAQ
Microsoft recommends enforcing a secure password change when user risk = High, ensuring the account owner verifies identity through MFA before password writeback.
Conditional Access Administrator (or higher, such as Global Administrator) can create or edit user risk–based Conditional Access policies.
Yes. Always exclude emergency access accounts to prevent accidental lockout during incidents or outages.
Yes, Cayosoft Guardian Protector.
References
- Microsoft Entra admin center: https://entra.microsoft.com/
- Conditional Access Administrator role permissions: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#conditional-access-administrator
- Choosing acceptable risk levels for risk policies: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies#choosing-acceptable-risk-levels
Final Thought
Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like Microsoft Entra tenant with unsecure configuration of user risk policy, you reduce attack surfaces and strengthen your organization’s overall security posture.