Active Directory & Office 365 Reporting Tool

Using Azure AD Identity Protection to Monitor User Activity. In today’s digital age, organizations face numerous challenges securing their online systems and data from cyber threats. One such challenge is the risk of unauthorized access to user accounts, which leads to data breaches, financial losses, and reputational damage.

Organizations shall make use and utilize identity and access management (IAM) tools like Microsoft Azure Active Directory (Azure AD) Identity Protection to reduce these threats. All in all, Azure AD Identity Protection helps organizations monitor user activity and detect potential security risks in real time.

Using Azure AD Identity Protection to Monitor User Activity

By leveraging Azure AD Identity Protection, organizations gain insights into user behaviour patterns, detect anomalies, and take corrective action to prevent unauthorized access before perpetrators deal any damage. In addition, by enabling seamless resource access for users, this proactive approach to IAM strengthens security posture and enhances user experience.

Prerequisites to View Azure Sign-in Logs

Before an organization effectively use Azure AD Identity Protection to monitor user activity and mitigate potential security risks, we must first meet several requirements. These include setting up an Azure AD tenant, configuring Azure AD Identity Protection, and ensuring that the appropriate licenses are in place. Additionally, organizations must clearly understand their existing identity and access management processes and policies to ensure a seamless transition to Azure AD Identity Protection.

We find the prerequisites below:

  1. To access the sign-in logs, we should assign one of the users with any of the following Azure roles
  • Global Admin. 
  • Security Admin . 
  • Security Reader . 
  • Global Reader.  
  • Reports Reader.

2. The sign-in activity report in the AAD admin center is available in all the editions of Azure AD. However, we require an AAD P1 or P2 license to access the report through Microsoft Graph API.
3. Users also view their sign-ins through https://mysignins.microsoft.com/ 

Importance of Keeping Track with Azure AD Sign Ins

By reviewing Azure AD sign-in logs, admins keep an eye on and take necessary actions on the users’ sign-ins with the help of the below critical information that the report provides:

  • The sign-in pattern of the user.
  • User sign-in location.  
  • Signed-in device details. 
  • Identify users’ sign-ins using legacy protocols. 
  • Sign-in that passes MFA challenges. 
  • A client app that uses an access token to sign-in. 
  • Any sign-in occurred from disabled accounts or expired passwords.
  • The number of users, apps, or services that were signed in recently.   
  • Is there any conditional access defined? If yes, the status of the conditional access. 
  • The authentication methods used for sign-ins and more such details.

Types of Azure AD Sign-ins in Microsoft 365

Microsoft has classified the O365 sign-in reports to reduce the burden for admins:

  • Interactive sign-ins – performed by users with authentication factors such as passwords, passing MFA challenges, biometric characteristics, and using QR codes.  
  • Non – Interactive sign-ins – performed by the client apps on behalf of the users without the need for any authentication factors or interaction from users. 
  • Service principal sign-ins – performed by the applications or service principal using its own certificate or client app secret for accessing the resources. 
  • Managed identity sign-ins – performed by the resources that have their secrets managed by Azure in the Key Vault service.

However, other sign-ins, except interactive sign-ins, are currently in preview mode and will generally be available soon.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Monitor Non-Interactive Logins to Mitigate High Number of Risks

Non-interactive sign-ins play a significant role in the organization’s malicious security attacks. This sign-in requires neither a username nor a password. Instead, an OAuth authentication code or MFA token that we used for authorization.

Also, security spoilers perform phishing attacks by stealing passwords that are hard-coded in shared scripts or files and compromise security within minutes. So, checking the non-interactive sign-ins in the Azure Active Directory is advisable to minimize the blind spot in Office 365. To make it easier for admins, Microsoft groups and shows all the non-interactive logins when attempted from the same client application.

Admins expand the rows to see all the different sign-ins and their different time stamps.

Besides reviewing the non-interactive sign ins, keeping track of potential risky sign-ins and taking necessary actions is vital.

Risky Users Overview

An Office 365 user who failed to pass MFA, configured basic authentication, logged in with an expired password and more is considered a risky sign-in user. The attacker steals the login credentials of those users and attempts to log in with the stolen data. This situation makes the sign-in process more complex and malicious to the organization.

Thus, monitoring risky sign-in detections is very important for admins to protect their organizations from severe threats. To view the risky sign-ins in Azure AD, admins should:

Investigate Risky Sign-ins Using Azure Active Directory Identity Protection

To help admins, Azure Active Directory provides three key reports to analyze the severity of attacks and determine how to respond to the risk and future threats. Admins access Azure Active Directory > Security > Identity Protection to get the following reports.

Risky Users Report

This report provides info such as risky users, risk levels, details of detections, and so on. This report lets admins take action, such as resetting the user password, dismissing user risk, blocking user sign-ins, etc.

Risky Sign-ins Report

MFA details, device details, location info, application information, and more are available in this report. This report contains filterable data for up to 30 days. Admins let users confirm the sign-in compromise and the sign-in safe using this report.

Risk Detections Report

Generate risks based on risk event types, sign-in attempt locations, and more under this report. It consists of risk detections for up to 90 days. After that, admins take action as suggested for the above reports in a more detailed way. Each report above allows additions and removals of columns based on admins’ reporting requirements.

Detect the Risky Sign-ins Based on Risk Event Types

Risks are real time or offline. Therefore, admins should know how to check all types of risks based on risk events to understand better and identify the weak points and safeguard the organization. Some crucial risk events that cause severe impact are:

  • Impossible travel occurs when logging in to Office 365 from distant locations quickly. 
  • Password Spray – happens when an attacker attempts to guess a user’s password multiple times in a short period. 
  • Malware-linked IP address – depicts a user signing in with a malicious IP address. 
  • Leaked Credentials – occurs due to the theft of user credentials
  • Unfamiliar sign in properties – detected when a sign-in occurs from a different and unknown sign-in property in Azure AD compared to the previously saved sign-in history.

Admins view all the risk sign-in detections based on risk event types from their Azure AD Identity Protection portal. However, some risk event types are marked as premium detections and are available only for Azure AD Premium P2 users. Users without Azure AD P2 license still receive the premium detections, and are titled “additional risk detected” that we cannot view.

Automate the Risky Sign-in Detection and Remediate the Risks

One step further, admins enable two types of risk policies to automate the risk response and allow users to self-remediate upon detecting any risk:

  1. User Risk Policy – This policy requires a secure password reset when the user risk level is High. It asks for MFA before creating a new password with SSPR to remediate the risk. 
  2. Sign-in Risk Policy – requires users to prove that he is legitimate users using any one of their authentication methods (Azure AD MFA) when a user’s sign-in risk level is Medium or High. 

Custom Risk Based Access Policies

Additionally, admins create custom user risk and sign-in risk policies using the Azure AD Conditional Access policies. With these risk-based access policies, admins restrict access to vulnerable and compromised devices and protect data inside applications.

Using Azure AD Identity Protection to Monitor User Activity Conclusion

Azure AD Identity Protection is a powerful IAM solution that helps organizations proactively safeguard their online systems and mitigate potential risks. It provides insights into user behavior patterns, enabling organizations to make informed decisions about access policies and permissions. Using Azure AD Identity Protection enhances an organization’s security posture and helps maintain the trust of customers and stakeholders.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *