Azure AD Identity Protection: Detect & Respond to Identity Threats. Would you like to learn about Azure AD Identity Protection and how to detect and respond to identity threats?Â
We start by explaining “Identity Threat” and “Identity Protection” in Azure Active Directory. After that, the guide explains the user role and licensing prerequisites for Azure AD service.Â
Furthermore, we examine different types of identity threats. Subsequently, there is a walkthrough on enabling Identity Protection logs and utilizing them to identify and address user identity threats.
What is Azure AD Identity Threat and Protection?
In Azure AD, an “Identity” refers to an object with permission to access resources within a Microsoft 365 tenant.
Examples of identities include users, groups, and applications. However, for AD Identity Protection, the term “identity” specifically denotes a user object.
Azure Active Directory requires users to authenticate to access resources. During this authentication process, identity protection detects any abnormal behaviour.
When such detection occurs, Azure AD Identity Protection recognizes it as a threat or risk containing any suspicious activity associated with a user.
“Identity Protection” provides resources to assist organizations in detecting and responding to these risks. Specifically, users utilize “risky users” and “risky sign-in reports” to identify and address potential user identity threats.
Last section explains steps for enabling the policies related to these logs. Furthermore, we will leveraging these logs to detect and respond to identity threats.
Licensing and Role Requirements
To access Identity Protection, users must be assigned either Global Admin or Security Admin roles. Moreover, the feature is also accessible to users with Security Operator or Security Reader roles.
For further insights, please refer to Microsoft’s guide on role requirements for this feature.
Furthermore, Identity Protection has specific licensing prerequisites. Users holding a free Azure AD Premium P1 or Azure AD Premium P2 license utilize this feature. However, the extent of data detection and monitoring capabilities varies based on the specific license.
For more info, please see license requirements.
Types of Azure AD Identity Threat Detection
Azure Active Directory Identity Protection offers “risky users” and “risky sign-in” as 2 types of user threat detections. However, accessing the risk detection levels depends on your Azure AD premium license.
To clarify, Free and Azure AD Premium P1 license subscribers accesses standard or basic risk detections. Conversely, Azure AD Premium P2 users have the capability to detect premium risk.
1. Azure AD Premium P1 (Nonpremium) "Sign-in risk" Detections
If you hold a Free and Azure AD Premium P1 license, you detect the occurrence of “Additional risk.” This type of risk is observed in real-time or offline.
Moreover, you view “Anonymous IP address,” logs. This offline detection indicates that a user has logged in from an unknown IP location.Â
Other nonpremium offline detections include “Admin confirmed user compromised” and “Azure AD threat intelligence.”
To see the complete list of nonpremium “sign -in risk” detections, click nonpremium sign-in.
2. Azure AD Premium P2 (Premium) "Sign-in Risk" Detections
Premium license holders view both real-time and offline user sign-in risks, in addition nonpremium “sign-in risks.”
An excellent example of a premium sign-in risk is the “New country,” logged when a user signs in from a new location.
Furthermore, a premium license gives you access to “Malicious IP address” and “Suspicious inbox manipulation rules.”
Azure AD Premium P2 license, provides 15 additional premium sign-in risk detections.Â
To view the complete list, please visit the premium sign-in risk link.
3. Azure AD Premium P1 (Nonpremium) "User Risk" Detections
The following “user risk” detections are available to nonpremium licensees: “Leaked credentials,” “Azure AD threat intelligence ,” and “Additional risk detected.”
While the first two are available offline, the last risk is detected in real time.Â
Find out more on the nonpremium user risk detections page.Â
4. Azure AD Premium P2 (Premium) "User Risk" Detections
Finally, holders of premium licenses receive premium “user risk” detections in addition to the nonpremium logs discussed earlier. Specifically, it provides 3 additional offline “user risk” logs.
Visit the premium user risk detections page to learn more.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Enable Azure AD Identity Protection Policies
Follow these steps below to enable the “User risk” and “Sign-in risky” policies:
1. Sign in to portal.azure.com, search for and open “Azure AD Identity Protection.”
2. Next, click “User risk policy” on the Protect menu.Â
3. Once the policy opens, configure the settings (see my explanations below this screenshot). After, click Save.Â
The screenshot shows 3 configurations of the “User risk policy.” To set the users the policy applies to, click Users in the “Assignments” section.Â
When the user configuration screen opens, set the policy to apply to all users (default). Alternatively, click the “Select individuals and groups” option to apply the policy to select users.Â
After enabling the “User risk policy,” click “Sign-in risk policy.” Once the policy opens, configure it and click Save.Â
Achieve the results of enabling the above policies by using the Azure Conditional Access policy. Microsoft recommends using Azure AD Conditional Access policies instead of these legacy policies.
Detect and Respond to Azure AD Identity Threats
Next, we learn the specifics of utilizing the “Risky users” and “Risk sign-ins” reports for identifying and addressing identity threats. Additionally, this section discusses using alerts and weekly digest emails to detect and respond to threats.
Option 1: Using Identity Detection Reports to Detect and Respond to Threats
1. Sign in to portal.azure.com. Search for and open ” azure identity protection.”
2. Click the “Risky users” report. Review the report and respond accordingly.Â
Specifically, the report displays users detected as “at risk.” Additionally, administrators view, if the risk has been remediated or dismissed.Â
Furthermore, an admin takes further actions within the “Risky users” report like resetting the user’s password or confirming that the user has been compromised.Â
For a complete list of actions available activities in this report, visit the Risky users page.Â
This 30-day filterable report provides the status of each record, indicating whether the sign-in has been confirmed as “compromised” or “safe.” Moreover, it includes crucial information that aids admins in detecting and addressing threats, such as MFA details, device, application, and location information for the sign-in.
Furthermore, the “Risk detections” report contains information on sign-in location and associated risks triggered at the same time as the “risky sign-in.”
By utilizing these 3 reports, security admins proactively identify and respond to potential threats before they escalate into major issues.
Option 2: Using Alerts and Weekly Digest Emails to Detect and Respond to Threats
To mitigate the possibility of missing potential risks, Azure AD provides 2 additional automated reports.
The first one is “users at risk detection alters.” This report sends “Alert on user risk level” emails to admins in the list. Microsoft automatically adds recipients to this list based on their role.
Moreover, custom emails can be added to the list.
Furthermore, there is an option to configure the alert level to be sent.
The final automated threat detection tool is the “weekly digest” email. Microsoft automatically adds users in the Global or Security Administrator, or Security Reader roles as recipients.Â
Option 3: Configure Automatic Risk Remediation with Conditional Access Policy
There is Azure AD Conditional Access risk remediation policy.
With this policy, we configure conditional “User risk” and “Sign-in risk” policies, define acceptable risk levels, and specify automated remediation actions.
Let’s see how this works in action.Â
First, open Azure AD Conditional Access tool and click “Create new policy.”
Next, on the New Conditional Access policy page, give it a name and click the “Conditions” section. Finally, click the “User risk,” and “Sign-in risk” options – one at a time – and configure acceptable risk levels.Â
Read Microsoft’s recommendation on configuring risk levels.Â
After configuring the above options in the new policy, click “Grant” to configure automated risk remediation conditions.
Azure AD Identity Protection: Detect & Respond to Identity Threats Conclusion
Azure AD Identity Protection offers robust measures to detect and respond to identity threats. The 1 step to effectively utilize the full potential of this service is to understand the licensing and role requirements.
With various types of threat detection available, including “sign-in risk” and “user risk” detections in both Azure AD Premium P1 and P2, organizations have the flexibility to choose the level of protection that suits their needs.
However, organizations must enable Azure AD Identity Protection policies or Conditional Access policies to proactively monitor and mitigate threats. Once configured, identity detection reports, alerts, and weekly digest emails provide visibility into suspicious activities.
Additionally, configuring automatic risk remediation through conditional access policies further strengthens the security posture of an Azure AD infrastructure. With Azure AD Identity Protection, organizations actively defend against identity threats and safeguard their infrastructure.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
Related posts:
- Using Group Policy to Enhance Active Directory Security
- Automate Security Tasks and Workflows in Your Azure Environment
- Secure Azure Network with Azure Firewall & Security Groups
- Using Azure AD Identity Protection to Monitor User Activity
- Entra ID Auditing Insider Threats: Detect Anomalous User Behaviour