Section 9 – Implement an Authentication and Access Management Solution – Manage Azure AD Identity Protection

The refreshed Azure AD Identity Protection is now generally available -  Microsoft Tech Community

Second half of section 9 and going down with:

  • implement and manage a user risk policy
  • implement and manage sign-in risk policy
  • implement and manage MFA registration policy
  • monitor, investigate and remediate elevated risky users

What is Identity Protection?

Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.

The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization’s enforced policies.

Permissions needed

RoleCan doCan’t do
Global administratorFull access to Identity Protection
Security administratorFull access to Identity ProtectionReset password for a user
Security operatorView all Identity Protection reports and Overview blade

Dismiss user risk, confirm safe sign-in, confirm compromise
Configure or change policies

Reset password for a user

Configure alerts
Security readerView all Identity Protection reports and Overview bladeConfigure or change policies

Reset password for a user

Configure alerts

Give feedback on detections

Licensing requirements

CapabilityDetailsAzure AD Free / Microsoft 365 AppsAzure AD Premium P1Azure AD Premium P2
Risk policiesUser risk policy (via Identity Protection)NoNoYes
Risk policiesSign-in risk policy (via Identity Protection or Conditional Access)NoNoYes
Security reportsOverviewNoNoYes
Security reportsRisky usersLimited Information. Only users with medium and high risk are shown. No details drawer or risk history.Limited Information. Only users with medium and high risk are shown. No details drawer or risk history.Full access
Security reportsRisky sign-insLimited Information. No risk detail or risk level is shown.Limited Information. No risk detail or risk level is shown.Full access
Security reportsRisk detectionsNoLimited Information. No details drawer.Full access
NotificationsUsers at risk detected alertsNoNoYes
NotificationsWeekly digestNoNoYes
MFA registration policyNoNoYes

How to Enable?

Open https://portal.azure.com and search for Azure AD Identity

Under the page You will find the following which will be covered in the examples.

Implement and manage a user risk policy

Inside User risk policy You can define User risk from Low to High and different approaches to these levels.

What is a risk?

Risk types and detection

Risk can be detected at the User and Sign-in level and two types of detection or calculation Real-time and Offline.

Real-time detections may not show up in reporting for five to 10 minutes. Offline detections may not show up in reporting for 48 hours.

User-linked detections

Sign-in risk

Other risk detections

After Your specified User risk level is reached, You can specify to block login, allow login and allow login and force password change.

Then You have an option to Enforce the policy.

Implement and manage sign-in risk policy

In the Sign-in risk page You can block access or allow access but require MFA again.

Implement and manage MFA registration policy

You can enforce MFA registration with MFA registration policy. There is a 14 days grace period where the user can skip the registration.

Monitor, investigate and remediate elevated risky users

Reporting

In the Risky user report You can confirm users confirmed or dismiss the risks

Notifying

In the Notify page You can define new recipients for emails, download the users that have notify enabled and enable alert on only at specified level and above.

Main screen

If we go back to main page, You will see the risk by default inside 30 days.

And You can extend the time to 90 days.

Summary of risk types

User risk

The risk of an individual user is calculated offline based on Microsoft’s internal and external threat intelligence sources. Researchers, law enforcement professionals, and Microsoft security teams are among these sources. An individual’s risk of being compromised is determined by their behavior. A user’s risk is determined offline.

Leaked credentials

The Microsoft leaked credentials service acquires credentials on the dark web, paste sites, password dumps and more. All these passwords are checked against the users’ current credentials to find a match.

Azure AD threat intelligence

The activity of the user is compared with the normal activity for the given user. Unusual activity or activity that is consistent with known attach patterns will be flagged.

Sign-in risk

A Sign-in risk is calculated offline or in real-time and represents the probability that an authentication request isn’t legit. Unlike User risk, there are more detection types in place.

Admin confirmed user compromised

An admin can confirm a user is compromised when he or she chooses to confirm a user compromised in the risky users portal (or by using Microsoft Graph).

Atypical travel

Offline detection type ‘atypical travel’ identifies sign-ins from geographically distant locations. By analyzing the user’s past behavior, a machine learning algorithm can identify risk. In the case of impossible travel time, the user credentials are being used by a different person.

Atypical travel has a learning period of 14 days or 10 logins (whatever comes first) in which it learns the sign-in behavior of a new user. This results in false positives (regular locations within the organization, VPNs) being ignored.

Anonymous IP Address

Anonymous is a realtime detection type that identifies sign-ins from IP addresses that are used by VPN services or anonymous browsers like Tor. These services are typically used by people with malicious intent.

Unfamiliar sign-in properties

An unfamiliar sign-in property is a type of real-time detection that compares sign-ins with previous sign-ins. It is calculated in real-time while logged on by looking at IP address, location, known/past IP address, IP carriers, and browsing sessions.

Unfamiliar sign-in properties have a dynamic learning period. A user will be in learning mode for a minimum duration of five days until the algorithm has enough information about the user’s behavior.

Malware linked IP address

Malware linked IP address is an offline detection type that will trigger when a sign-in from an IP address that is known to actively communicate with a bot server.

Malicious IP address

There is an offline detection type called malicious IP address, which indicates signing in from an IP address that has a high logon failure rate due to invalid credentials.

Things to remember

Licensing:

Azure AD Free / Microsoft 365 Apps on has reporting capabilities.

Azure AD Premium P1 also has reporting capabilities for Risky detections.

Azure AD Premium P2 has all features.

Types of risks:

User Risk has Leaked credentials or is discovered by Azure Threat intelligence.

Sign-in risk, atypical travel, unfamiliar location etc.

Reports and notifies go to Global Admins by default

MFA registration policy has 14 days of grace period.

Link to the main post

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *