MS-102 GĐ6
Module 40
Secure Score & Identity Protection
Microsoft Secure Score — đo và cải thiện posture; Entra ID Identity Protection — phát hiện và xử lý risk users/sign-ins tự động.
Tình huống – VinaCorp
Secure Score VinaCorp là 42/100. CISO muốn đưa lên 65 trong 3 tháng. IT cần: xác định top 5 actions có ROI cao nhất, implement, và cấu hình Identity Protection để tự động block sign-in risk cao.
Microsoft Secure Score
Điểm số 0–100 đo lường security posture của tenant dựa trên các improvement actions. Tính theo: (actions completed / max possible points) × 100.
Các danh mục Improvement Actions
| Danh mục | Ví dụ Action | Điểm điển hình |
|---|---|---|
| Identity | Require MFA for admins, Enable SSPR, Block legacy auth | 5–15 pts/action |
| Devices | Require device compliance, Enable MDE sensors | 3–10 pts |
| Apps | Disable app consent for unverified publishers | 4–8 pts |
| Data | Apply sensitivity labels, Enable DLP | 3–6 pts |
| Infrastructure | Enable audit log, Restrict SharePoint external sharing | 2–5 pts |
Top 5 Quick Wins cho VinaCorp (Graph PowerShell)
Connect-MgGraph -Scopes "SecurityEvents.Read.All"
# Xem top improvement actions theo score impact
$actions = Get-MgSecuritySecureScore -Top 1 |
Select-Object -ExpandProperty ControlScores |
Sort-Object ScoreInPercentage |
Select-Object ControlName, ScoreInPercentage, Total -First 10
$actions | Format-Table -AutoSize
ControlName ScoreInPercentage Total
----------- ----------------- -----
RequireMFAForAdmins 0 10
BlockLegacyAuthentication 0 8
EnableSelfServicePasswordReset 0 7
RequireCompliantDevice 12 15
EnablePasswordHashSync 100 5
# Xem lịch sử score theo thời gian (30 ngày)
Get-MgSecuritySecureScore -Top 30 |
Select-Object CreatedDateTime, CurrentScore, MaxScore,
@{N='Percentage';E={[math]::Round($_.CurrentScore/$_.MaxScore*100,1)}} |
Sort-Object CreatedDateTime |
Format-Table -AutoSize
CreatedDateTime CurrentScore MaxScore Percentage
--------------- ------------ -------- ----------
2026-03-21 38.5 92 41.8
2026-04-01 40.2 92 43.7
2026-04-15 42.1 92 45.8
2026-04-20 42.1 92 45.8
Entra ID Identity Protection
Risk Detection Types
| Detection | Loại Risk | Mô tả |
|---|---|---|
| Leaked credentials | User risk | Password bị tìm thấy trên dark web / paste sites |
| Impossible travel | Sign-in risk | Đăng nhập từ 2 địa điểm cách nhau không thể đi trong thời gian thực |
| Anonymous IP | Sign-in risk | Sign-in qua Tor hoặc anonymous proxy |
| Unfamiliar sign-in properties | Sign-in risk | Browser/OS/location khác với baseline |
| Malware linked IP | Sign-in risk | IP nằm trong known botnet C2 list |
| Password spray | Sign-in risk | Nhiều failed login từ 1 IP với nhiều username |
| Suspicious inbox rules | User risk | Auto-forward rule mới tạo sau khi đăng nhập |
User Risk vs Sign-in Risk
| User Risk | Sign-in Risk | |
|---|---|---|
| Scope | Liên quan đến toàn bộ tài khoản | Chỉ session sign-in cụ thể |
| Remediation | Password reset (SSPR) | MFA challenge hoặc block |
| Reset sau remediation | Tự động sau password reset | Tự động sau MFA pass |
| Policy action (High) | Require password change | Block access |
Lab A – Cấu hình Risk Policies (Portal + Graph)
Portal: entra.microsoft.com → Protection → Identity Protection
Sign-in Risk Policy (block High risk)
1Identity Protection → Sign-in risk policy → Users: All users (exclude break-glass)
2Sign-in risk: High → Access: Block | Medium: Require MFA
3Enforce policy: On → Save
# Graph API: tạo User Risk Policy (require password change for High)
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess","IdentityRiskEvent.Read.All"
$userRiskPolicy = @{
DisplayName = "IP001 - User Risk High Require Password Change"
State = "enabled"
Conditions = @{
Users = @{IncludeUsers=@("All"); ExcludeGroups=@("BREAK_GLASS_ID")}
UserRiskLevels = @("high")
Applications = @{IncludeApplications=@("All")}
}
GrantControls = @{
Operator = "AND"
BuiltInControls = @("mfa","passwordChange")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $userRiskPolicy
Write-Host "User Risk policy created"
User Risk policy created: IP001 - User Risk High Require Password Change
Lab B – Audit Risky Users & Remediate
Connect-MgGraph -Scopes "IdentityRiskEvent.Read.All","IdentityRiskyUser.ReadWrite.All"
# Xem risky users mức High
$riskyUsers = Get-MgRiskyUser -Filter "riskLevel eq 'high'" -All
$riskyUsers | Select-Object UserDisplayName, UserPrincipalName, RiskLevel, RiskDetail, RiskLastUpdatedDateTime
# Dismiss risk cho user đã xử lý (sau khi confirm false positive)
$userId = "aaa-bbb-ccc-ddd"
Invoke-MgDismissRiskyUser -UserIds @($userId)
Write-Host "Risk dismissed for user"
# Confirm user compromise (đánh dấu là true positive — block + alert)
Invoke-MgConfirmRiskyUserCompromised -UserIds @($userId)
UserDisplayName UserPrincipalName RiskLevel RiskDetail
--------------- ----------------- --------- ----------
Nguyen Thi Lan [email protected] high leakedCredentials
Tran Van Minh [email protected] high impossibleTravel
Risk dismissed for user (false positive confirmed)
Xem Risky Sign-ins (24h gần nhất)
Get-MgRiskyServicePrincipal -All | Select-Object -First 5
# Sign-in risk events
Get-MgIdentityRiskyUserHistory -RiskyUserId $userId |
Select-Object Activity, RiskDetail, InitiatedBy, TimeGenerated |
Format-Table -AutoSize
Tổng kết M40
Kiến thức cốt lõi
- ✅ Secure Score đo posture — ưu tiên actions có điểm cao, chi phí thấp
- ✅ User risk = account-level; Sign-in risk = session-level
- ✅ Leaked credentials → user risk HIGH → force password change
- ✅ Impossible travel / anonymous IP → sign-in risk → block hoặc MFA
- ✅ Dismiss = false positive; Confirm compromised = true positive
Lab đã thực hành
- 🔬 Graph: xem Secure Score + lịch sử 30 ngày
- 🔬 Lab A: Sign-in risk policy + User risk policy via Graph
- 🔬 Lab B: Risky users report, dismiss risk, confirm compromised