Task/ Project on Identity Protection.

TASK 1

Create an Admin Unit called Regional Office. Add members of the tenant to the admin unit and assign a member of the admin unit the User Administrator role. The assigned user admin should not have any existing role at the tenant level. The User Admin for the admin unit should sign with their account and test to edit user properties for members of the admin unit.

TASK 2

For this task, ensure members of the tenant have SSPR enabled. Create a password policy that restricts the use of the following words admin, test, password. Members of the tenant should try and reset their passwords using the above restricted words with a combination of other characters.

TASK 3

Implement Identity protection of user risk and sign in risk policy for users in a tenant using conditional access. Set risk tier to high for this policy. Simulate for Anonymous IP for 2 users.

These Tasks are executed as follows and the Steps are shown in the screenshots.

TASK 1

Create an Admin Unit called Regional Office. Add members of the tenant to the admin unit and assign a member of the admin unit the User Administrator role. The assigned user admin should not have any existing role at the tenant level. The User Admin for the admin unit should sign with their account and test to edit user properties for members of the admin unit.

To Create Admin Unit,

Login to your Microsoft Entra ID portal. Navigate to Identity, click on the dropdown, click on the dropdown for Roles and admin, select Admin Unit and click on Add.

On the Admin Unit Pane, under Properties, fill the Name and description and select Review and create and select create.

The Administrative Unit named Regional Office is created.

To Add Members to the Admin unit.

Navigate to the Admin Unit you just created and click on Add members, select the members you want to add and click on Select.

To Assign a member the User Administrator role.

Go to Roles and Administrators and select User Administrator.

In the User Administrator pane click on Add Assignment and navigate to select member, check the user and click on select. Go to Next and check the Active box and select Assign.

The second part of Task 1. is for the User Admin to login to his account and test to edit user properties for members of the admin unit.

The User Admin was able to login and edit the properties of the members of the admin unit.

Aishat User type was changed from Member to Guest and

Edosa , an initial A. was added to his first name.

TASK 2

For this task, ensure members of the tenant have SSPR enabled. Create a password policy that restricts the use of the following words admin, test, password. Members of the tenant should try and reset their passwords using the above restricted words with a combination of other characters.

This Task is executed using the following steps, first Enable SSPR for members of the tenant.

Login to M365 Admin Center, Navigate to Settings and click on the dropdown, click on Org settings. Next Select Security and Privacy and then select Go to the Azure portal to turn on SSPR. Under SSPR select Enable All and click on Save.

To Create a password policy that restricts the use of the following words admin, test, password.

Login to Entra Admin Center and navigate to Protection, click on the dropdown and select Authentication Methods, then select Password Protection. Set the Lockout threshold and also the Lockout duration in seconds. Under Custom banned password list, fill in the restricted words, select the Enforced Mode and click on Save.

Members Abe Bush and Aishat L. try and reset their passwords using the above restricted words but got this Error message.

TASK 3

Implement Identity protection of user risk and sign in risk policy for users in a tenant using conditional access. Set risk tier to high for this policy.

Simulate for Anonymous IP for 2 users.

To Implement this Task using conditional access,

Login to Entra Admin Center and Navigate to Protection click the dropdown, select Conditional access, select Create new policy.

Next, setup your policy as required such as Name, Users, Target resource, conditions, access control and others. Under conditions, set the user risk and sign-in risk level to High respectively and select Done, select Block access on the access control and select On to enable policy and click on Create.

To view the policy, you created Go to Policies and select the policy.

Simulate for Anonymous IP for 2 users.

Simulation is simply to test what you have done. There are two ways to do this. Either you go through the Report only mode when configuring the conditional access policy if you have an Azure Subscription or you do it using the Tor Browser method to test if the policy is working following Microsoft Documentation.

To execute this task, we use the Tor Browser to Simulate for the 2 users. You might have to use a Virtual Machine if your organization restricts using Tor browser.

First is to install the Tor Browser and also create two new users that are not affect by MFA before using the to Simulate. The Two New Users Successfully logged in the App dashboard using the Tor Browser

To see the test result of all the simulation,

Go to Identity Protection Dashboard, If it has populated in the Dashboard, you can find it Under Reports, click on Sign-in reports to view all risky sign-in or Risky Detection. You can see the risk level and detection type.

Thanks for Viewing. Kindly Like and Comment.

My Name is Theodora Egburedi

M365 Technical Support Engineer.