CISA.MS.AAD.2.1 - Users detected as high risk SHALL be blocked.
Overviewβ
Users detected as high risk SHALL be blocked.
Rationale: Blocking high-risk users may prevent compromised accounts from accessing the tenant. This prevents compromised accounts from accessing the tenant.
Remediation action:β
Create a conditional access policy blocking users categorized as high risk by the Identity Protection service. Configure the following policy settings in the new conditional access policy as per the values below:
- Users > Include > All users
- Target resources > Cloud apps > All cloud apps
- Conditions > User risk > High
- Access controls > Grant > Block Access
Note: While CISA recommends blocking, the Microsoft recommendation is to require multi-factor authentication for high-risk users.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.2.1 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P2 |
| PowerShell test | Test-MtCisaBlockHighRiskUser |
| Tags | CISA, CISA.MS.AAD.2.1, Entra ID P2, MS.AAD, MS.AAD.2.1 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaBlockHighRiskUsers.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaBlockHighRiskUser.ps1