Using Azure AD Identity Protection to Monitor User Activity. In today’s digital age, organizations face numerous challenges securing their online systems and data from cyber threats. One such challenge is the risk of unauthorized access to user accounts, which leads to data breaches, financial losses, and reputational damage.
Organizations shall make use and utilize identity and access management (IAM) tools like Microsoft Azure Active Directory (Azure AD) Identity Protection to reduce these threats. All in all, Azure AD Identity Protection helps organizations monitor user activity and detect potential security risks in real time.
Using Azure AD Identity Protection to Monitor User Activity
By leveraging Azure AD Identity Protection, organizations gain insights into user behaviour patterns, detect anomalies, and take corrective action to prevent unauthorized access before perpetrators deal any damage. In addition, by enabling seamless resource access for users, this proactive approach to IAM strengthens security posture and enhances user experience.
Prerequisites to View Azure Sign-in Logs
Before an organization effectively use Azure AD Identity Protection to monitor user activity and mitigate potential security risks, we must first meet several requirements. These include setting up an Azure AD tenant, configuring Azure AD Identity Protection, and ensuring that the appropriate licenses are in place. Additionally, organizations must clearly understand their existing identity and access management processes and policies to ensure a seamless transition to Azure AD Identity Protection.
We find the prerequisites below:
Importance of Keeping Track with Azure AD Sign Ins
- The sign-in pattern of the user.
- User sign-in location.
- Signed-in device details.
- Identify users’ sign-ins using legacy protocols.
- Sign-in that passes MFA challenges.
- A client app that uses an access token to sign-in.
- Any sign-in occurred from disabled accounts or expired passwords.
- The number of users, apps, or services that were signed in recently.
- Is there any conditional access defined? If yes, the status of the conditional access.
- The authentication methods used for sign-ins and more such details.
Types of Azure AD Sign-ins in Microsoft 365
- Interactive sign-ins – performed by users with authentication factors such as passwords, passing MFA challenges, biometric characteristics, and using QR codes.
- Non – Interactive sign-ins – performed by the client apps on behalf of the users without the need for any authentication factors or interaction from users.
- Service principal sign-ins – performed by the applications or service principal using its own certificate or client app secret for accessing the resources.
- Managed identity sign-ins – performed by the resources that have their secrets managed by Azure in the Key Vault service.
However, other sign-ins, except interactive sign-ins, are currently in preview mode and will generally be available soon.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Monitor Non-Interactive Logins to Mitigate High Number of Risks
Also, security spoilers perform phishing attacks by stealing passwords that are hard-coded in shared scripts or files and compromise security within minutes. So, checking the non-interactive sign-ins in the Azure Active Directory is advisable to minimize the blind spot in Office 365. To make it easier for admins, Microsoft groups and shows all the non-interactive logins when attempted from the same client application.
Besides reviewing the non-interactive sign ins, keeping track of potential risky sign-ins and taking necessary actions is vital.
Risky Users Overview
An Office 365 user who failed to pass MFA, configured basic authentication, logged in with an expired password and more is considered a risky sign-in user. The attacker steals the login credentials of those users and attempts to log in with the stolen data. This situation makes the sign-in process more complex and malicious to the organization.
Investigate Risky Sign-ins Using Azure Active Directory Identity Protection
To help admins, Azure Active Directory provides three key reports to analyze the severity of attacks and determine how to respond to the risk and future threats. Admins access Azure Active Directory > Security > Identity Protection to get the following reports.
Risky Users Report
Risky Sign-ins Report
MFA details, device details, location info, application information, and more are available in this report. This report contains filterable data for up to 30 days. Admins let users confirm the sign-in compromise and the sign-in safe using this report.
Risk Detections Report
Generate risks based on risk event types, sign-in attempt locations, and more under this report. It consists of risk detections for up to 90 days. After that, admins take action as suggested for the above reports in a more detailed way. Each report above allows additions and removals of columns based on admins’ reporting requirements.
Detect the Risky Sign-ins Based on Risk Event Types
- Impossible travel occurs when logging in to Office 365 from distant locations quickly.
- Password Spray – happens when an attacker attempts to guess a user’s password multiple times in a short period.
- Malware-linked IP address – depicts a user signing in with a malicious IP address.
- Leaked Credentials – occurs due to the theft of user credentials.
- Unfamiliar sign in properties – detected when a sign-in occurs from a different and unknown sign-in property in Azure AD compared to the previously saved sign-in history.
Admins view all the risk sign-in detections based on risk event types from their Azure AD Identity Protection portal. However, some risk event types are marked as premium detections and are available only for Azure AD Premium P2 users. Users without Azure AD P2 license still receive the premium detections, and are titled “additional risk detected” that we cannot view.
Automate the Risky Sign-in Detection and Remediate the Risks
- User Risk Policy – This policy requires a secure password reset when the user risk level is High. It asks for MFA before creating a new password with SSPR to remediate the risk.
- Sign-in Risk Policy – requires users to prove that he is legitimate users using any one of their authentication methods (Azure AD MFA) when a user’s sign-in risk level is Medium or High.
Custom Risk Based Access Policies
Using Azure AD Identity Protection to Monitor User Activity Conclusion
Azure AD Identity Protection is a powerful IAM solution that helps organizations proactively safeguard their online systems and mitigate potential risks. It provides insights into user behavior patterns, enabling organizations to make informed decisions about access policies and permissions. Using Azure AD Identity Protection enhances an organization’s security posture and helps maintain the trust of customers and stakeholders.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free