Version: 2.1.0

CISA.MS.AAD.2.2 - A notification SHOULD be sent to the administrator when high-risk users are detected.

Overview

A notification SHOULD be sent to the administrator when high-risk users are detected.

Rationale: Notification enables the admin to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.

Remediation action:

Follow the guide below to configure Entra ID Protection to send a regularly monitored security mailbox email notification when user accounts are determined to be high risk.

Configure Entra Identity Protection Notifications - Microsoft Learn

CISA Risk Based Policies - MS.AAD.2.2v1
CISA ScubaGear Rego Reference

Test Metadata

Field	Value
Test ID	CISA.MS.AAD.2.2
Severity	High
Suite	CISA
Category	Entra ID P2
PowerShell test	Test-MtCisaNotifyHighRisk
Tags	CISA, CISA.MS.AAD.2.2, Entra ID P2, MS.AAD, MS.AAD.2.2

Source

Pester test: tests/cisa/entra/Test-MtCisaNotifyHighRiskUsers.Tests.ps1
PowerShell source: powershell/public/cisa/entra/Test-MtCisaNotifyHighRisk.ps1

Overview​

Remediation action:​

Related links​

Test Metadata​

Source​

Overview

Remediation action:

Related links

Test Metadata

Source