Active Directory & Office 365 Reporting Tool

Azure AD Identity Protection: Detect & Respond to Identity Threats. Would you like to learn about Azure AD Identity Protection and how to detect and respond to identity threats? 

We start by explaining “Identity Threat” and “Identity Protection” in Azure Active Directory. After that, the guide explains the user role and licensing prerequisites for Azure AD service. 

Furthermore, we examine different types of identity threats. Subsequently, there is a walkthrough on enabling Identity Protection logs and utilizing them to identify and address user identity threats.

What is Azure AD Identity Threat and Protection?

In Azure AD, an “Identity” refers to an object with permission to access resources within a Microsoft 365 tenant.

Examples of identities include users, groups, and applications. However, for AD Identity Protection, the term “identity” specifically denotes a user object.

Azure Active Directory requires users to authenticate to access resources. During this authentication process, identity protection detects any abnormal behaviour.

When such detection occurs, Azure AD Identity Protection recognizes it as a threat or risk containing any suspicious activity associated with a user.

“Identity Protection” provides resources to assist organizations in detecting and responding to these risks. Specifically, users utilize “risky users” and “risky sign-in reports” to identify and address potential user identity threats.

Last section explains steps for enabling the policies related to these logs. Furthermore, we will leveraging these logs to detect and respond to identity threats.

Licensing and Role Requirements

To access Identity Protection, users must be assigned either Global Admin or Security Admin roles. Moreover, the feature is also accessible to users with Security Operator or Security Reader roles.

For further insights, please refer to Microsoft’s guide on role requirements for this feature.

Furthermore, Identity Protection has specific licensing prerequisites. Users holding a free Azure AD Premium P1 or Azure AD Premium P2 license utilize this feature. However, the extent of data detection and monitoring capabilities varies based on the specific license.

For more info, please see license requirements.

Types of Azure AD Identity Threat Detection

Azure Active Directory Identity Protection offers “risky users” and “risky sign-in” as 2 types of user threat detections. However, accessing the risk detection levels depends on your Azure AD premium license.

To clarify, Free and Azure AD Premium P1 license subscribers accesses standard or basic risk detections. Conversely, Azure AD Premium P2 users have the capability to detect premium risk.

1. Azure AD Premium P1 (Nonpremium) "Sign-in risk" Detections

If you hold a Free and Azure AD Premium P1 license, you detect the occurrence of “Additional risk.” This type of risk is observed in real-time or offline.

Moreover, you view  “Anonymous IP address,” logs. This offline detection indicates that a user has logged in from an unknown IP location. 

Other nonpremium offline detections include “Admin confirmed user compromised” and “Azure AD threat intelligence.”

To see the complete list of nonpremium “sign -in risk” detections, click nonpremium sign-in.

2. Azure AD Premium P2 (Premium) "Sign-in Risk" Detections

Premium license holders view both real-time and offline user sign-in risks, in addition nonpremium “sign-in risks.”

An excellent example of a premium sign-in risk is the “New country,” logged when a user signs in from a new location.

Furthermore, a premium license gives you access to “Malicious IP address” and “Suspicious inbox manipulation rules.”

Azure AD Premium P2 license, provides 15 additional premium sign-in risk detections. 

To view the complete list, please visit the premium sign-in risk link.

3. Azure AD Premium P1 (Nonpremium) "User Risk" Detections

The following “user risk” detections are available to nonpremium licensees: “Leaked credentials,” “Azure AD threat intelligence ,” and “Additional risk detected.”

While the first two are available offline, the last risk is detected in real time. 

Find out more on the nonpremium user risk detections page. 

4. Azure AD Premium P2 (Premium) "User Risk" Detections

Finally, holders of premium licenses receive premium “user risk” detections in addition to the nonpremium logs discussed earlier. Specifically, it provides 3 additional offline “user risk” logs.

Visit the premium user risk detections page to learn more.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Enable Azure AD Identity Protection Policies

Follow these steps below to enable the “User risk” and “Sign-in risky” policies:

1. Sign in to portal.azure.com, search for and open “Azure AD Identity Protection.”
2. Next, click “User risk policy” on the Protect menu. 
3. Once the policy opens, configure the settings (see my explanations below this screenshot). After, click Save

The screenshot shows 3 configurations of the “User risk policy.” To set the users the policy applies to, click Users in the “Assignments” section. 

When the user configuration screen opens, set the policy to apply to all users (default). Alternatively, click the “Select individuals and groups” option to apply the policy to select users. 

After configuring users the policy apply to, set “User risk” level by clicking this section. Then, select the risky level that meets your needs and click Save. 

Finally, set up the Access to enforce by following the numbering in the screenshot below. 

After enabling the “User risk policy,” click “Sign-in risk policy.” Once the policy opens, configure it and click Save. 

Achieve the results of enabling the above policies by using the Azure Conditional Access policy. Microsoft recommends using Azure AD Conditional Access policies instead of these legacy policies.

Detect and Respond to Azure AD Identity Threats

Next, we learn the specifics of utilizing the “Risky users” and “Risk sign-ins” reports for identifying and addressing identity threats. Additionally, this section discusses using alerts and weekly digest emails to detect and respond to threats.

Option 1: Using Identity Detection Reports to Detect and Respond to Threats

1. Sign in to portal.azure.com. Search for and open ” azure identity protection.”
2. Click the “Risky users” report. Review the report and respond accordingly. 

Specifically, the report displays users detected as “at risk.” Additionally, administrators view, if the risk has been remediated or dismissed. 

Furthermore, an admin takes further actions within the “Risky users” report like resetting the user’s password or confirming that the user has been compromised. 

For a complete list of actions available activities in this report, visit the Risky users page. 

Azure AD Identity Detection provides “Risky users” report but also the “Risky sign-ins” and “Risky detections” reports.

The “Risky sign-ins” records sign-ins Azure AD Identity Protection classifies as “at risk.”

This 30-day filterable report provides the status of each record, indicating whether the sign-in has been confirmed as “compromised” or “safe.” Moreover, it includes crucial information that aids admins in detecting and addressing threats, such as MFA details, device, application, and location information for the sign-in.

Furthermore, the “Risk detections” report contains information on sign-in location and associated risks triggered at the same time as the “risky sign-in.”

By utilizing these 3 reports, security admins proactively identify and respond to potential threats before they escalate into major issues.

Option 2: Using Alerts and Weekly Digest Emails to Detect and Respond to Threats

To mitigate the possibility of missing potential risks, Azure AD provides 2 additional automated reports.

The first one is “users at risk detection alters.” This report sends “Alert on user risk level” emails to admins in the list. Microsoft automatically adds recipients to this list based on their role.

Moreover, custom emails can be added to the list.

Furthermore, there is an option to configure the alert level to be sent.

The final automated threat detection tool is the “weekly digest” email. Microsoft automatically adds users in the Global or Security Administrator, or Security Reader roles as recipients. 

There is also a setting to enable or disable sending the weekly email.

Option 3: Configure Automatic Risk Remediation with Conditional Access Policy

There is Azure AD Conditional Access risk remediation policy.

With this policy, we configure conditional “User risk” and “Sign-in risk” policies, define acceptable risk levels, and specify automated remediation actions.

Let’s see how this works in action. 

First, open Azure AD Conditional Access tool and click “Create new policy.”

Next, on the New Conditional Access policy page, give it a name and click the “Conditions” section. Finally, click the “User risk,” and “Sign-in risk” options – one at a time – and configure acceptable risk levels. 

Read Microsoft’s recommendation on configuring risk levels. 

After configuring the above options in the new policy, click “Grant” to configure automated risk remediation conditions.

Azure AD Identity Protection: Detect & Respond to Identity Threats Conclusion

Azure AD Identity Protection offers robust measures to detect and respond to identity threats. The 1 step to effectively utilize the full potential of this service is to understand the licensing and role requirements.

With various types of threat detection available, including “sign-in risk” and “user risk” detections in both Azure AD Premium P1 and P2, organizations have the flexibility to choose the level of protection that suits their needs.

However, organizations must enable Azure AD Identity Protection policies or Conditional Access policies to proactively monitor and mitigate threats. Once configured, identity detection reports, alerts, and weekly digest emails provide visibility into suspicious activities.

Additionally, configuring automatic risk remediation through conditional access policies further strengthens the security posture of an Azure AD infrastructure. With Azure AD Identity Protection, organizations actively defend against identity threats and safeguard their infrastructure.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *