Still in section 2, there is a lot to write about. Now we are covering Identity protection.
Table of Contents
What is Identity Protection?
Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.
The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization’s enforced policies.
|Role||Can do||Can’t do|
|Global administrator||Full access to Identity Protection|
|Security administrator||Full access to Identity Protection||Reset password for a user|
|Security operator||View all Identity Protection reports and Overview blade|
Dismiss user risk, confirm safe sign-in, confirm compromise
|Configure or change policies|
Reset password for a user
|Security reader||View all Identity Protection reports and Overview blade||Configure or change policies|
Reset password for a user
Give feedback on detections
|Capability||Details||Azure AD Free / Microsoft 365 Apps||Azure AD Premium P1||Azure AD Premium P2|
|Risk policies||User risk policy (via Identity Protection)||No||No||Yes|
|Risk policies||Sign-in risk policy (via Identity Protection or Conditional Access)||No||No||Yes|
|Security reports||Risky users||Limited Information. Only users with medium and high risk are shown. No details drawer or risk history.||Limited Information. Only users with medium and high risk are shown. No details drawer or risk history.||Full access|
|Security reports||Risky sign-ins||Limited Information. No risk detail or risk level is shown.||Limited Information. No risk detail or risk level is shown.||Full access|
|Security reports||Risk detections||No||Limited Information. No details drawer.||Full access|
|Notifications||Users at risk detected alerts||No||No||Yes|
|MFA registration policy||No||No||Yes|
How to Enable?
Open https://portal.azure.com and search for Azure AD Identity
Under the page You will find the following which will be covered in the examples.
User risk policy
Inside User risk policy You can define User risk from Low to High and different approaches to these levels.
Microsoft has an good article with different risks and how they discover ex. Leaked credentials.
After Your specified User risk level is reached, You can specify to block login, allow login and allow login and force password change.
Then You have an option to Enforce the policy.
Sign-in risk policy
In the Sign-in risk page You can block access or allow access but require MFA again.
MFA registration policy
You can enforce MFA registration with MFA registration policy. There is a 14 days grace period where the user can skip the registration.
In the Risky user report You can confirm users confirmed or dismiss the risks
In the Notify page You can define new recipients for emails, download the users that have notify enabled and enable alert on only at specified level and above.
If we go back to main page, You will see the risk by default inside 30 days.
And You can extend the time to 90 days.
Summary of risk types
The risk of an individual user is calculated offline based on Microsoft’s internal and external threat intelligence sources. Researchers, law enforcement professionals, and Microsoft security teams are among these sources. An individual’s risk of being compromised is determined by their behavior. A user’s risk is determined offline.
The Microsoft leaked credentials service acquires credentials on the dark web, paste sites, password dumps and more. All these passwords are checked against the users’ current credentials to find a match.
Azure AD threat intelligence
The activity of the user is compared with the normal activity for the given user. Unusual activity or activity that is consistent with known attach patterns will be flagged.
A Sign-in risk is calculated offline or in real-time and represents the probability that an authentication request isn’t legit. Unlike User risk, there are more detection types in place.
Admin confirmed user compromised
An admin can confirm a user is compromised when he or she chooses to confirm a user compromised in the risky users portal (or by using Microsoft Graph).
Offline detection type ‘atypical travel’ identifies sign-ins from geographically distant locations. By analyzing the user’s past behavior, a machine learning algorithm can identify risk. In the case of impossible travel time, the user credentials are being used by a different person.
Atypical travel has a learning period of 14 days or 10 logins (whatever comes first) in which it learns the sign-in behavior of a new user. This results in false positives (regular locations within the organization, VPNs) being ignored.
Anonymous IP Address
Anonymous is a realtime detection type that identifies sign-ins from IP addresses that are used by VPN services or anonymous browsers like Tor. These services are typically used by people with malicious intent.
Unfamiliar sign-in properties
An unfamiliar sign-in property is a type of real-time detection that compares sign-ins with previous sign-ins. It is calculated in real-time while logged on by looking at IP address, location, known/past IP address, IP carriers, and browsing sessions.
Unfamiliar sign-in properties have a dynamic learning period. A user will be in learning mode for a minimum duration of five days until the algorithm has enough information about the user’s behavior.
Malware linked IP address
Malware linked IP address is an offline detection type that will trigger when a sign-in from an IP address that is known to actively communicate with a bot server.
Malicious IP address
There is an offline detection type called malicious IP address, which indicates signing in from an IP address that has a high logon failure rate due to invalid credentials.
Things to remember
Azure AD Free / Microsoft 365 Apps on has reporting capabilities.
Azure AD Premium P1 also has reporting capabilities for Risky detections.
Azure AD Premium P2 has all features.
Types of risks:
User Risk has Leaked credentials or is discovered by Azure Threat intelligence.
Sign-in risk, atypical travel, unfamiliar location etc.
Reports and notifies go to Global Admins by default
MFA registration policy has 14 days of grace period.