I recently gave a talk on Azure Identity Protection at Phoenix Software in York and I wanted to give a summary about why you should consider reviewing the features and benefits whilst providing you with the Microsoft documentation and videos should you wish to learn more about the subject.
What is Azure AD and Identity Protection?
Azure AD is a modern identity and security platform built in the cloud and significantly enhances it’s predecessor Active Directory. Active Directory can be integrated with Azure AD so your company can leverage the benefits of Azure AD for your existing users and devices.
Identity Protection is a feature of Azure AD that helps you protect your organisation against ever evolving and continuous threats. These threats should be considered as both internal and external and Identity Protection will help you align to a strategy of a zero trust policy.
Identity Protection automatically detects identity-based risks and provides remedial action and reporting. Basically if Azure AD detects an account or identity is under threat it can take action automatically to protect, remediate and report on the problem. Azure AD administrators are also given the tools to further shape these mechanisms to align them with their business working practices and corporate policies.
These tools include, Multi-factor Authentication (MFA), Conditional Access Policies (CAP), Identity Protection Policies and Single Single On (SSO)
Where there’s a feature there’s a cost, here’s what you need to know about licensing for Azure AD Identity Protection with a P2 license you get the most detailed reporting
Identity Protection Overview
Azure AD continually monitors activity related to your identities and can highlight where suspicious behaviour occurs.
Azure AD Identity Protection will make assessments on the following Risk Types:
These Risk Types can be calculated in Real-Time or Offline and Microsoft makes 2 recommendations for choosing acceptable risk levels
Set User Risk policy to High
Set Sign-in Risk policy to Medium and above
Be aware that by setting these policies for these risk types means that lower risks are not assessed as part of the process. The screenshot below shows the types of risks associated with user or sign-in activity.
What do these Risk Levels mean?
User Risk is the probability that the identity has been compromised. Microsoft has mechanisms for evaluating this.
- Leaked Credentials
- Azure AD Threat Protection
Sign-in Risk is is probability that the authentication requested was not initiated by the Identity owner. Microsoft has several mechanisms for evaluating this.
- Anonymous IP address
- Atypical travel
- Malware linked IP address
- Unfamiliar sign-in properties
- Admin confirmed user compromised
- Malicious IP address
Real-Time or Offline
User and Sign-In risks are detected in either Real-Time or Offline. You should be aware of which method risks are detected with and also the time it takes to show within a report
How to deploy identity Protection
How to use Identity Protection
Simulating Risks with Identity Protection
You may be left wondering how you will actually setup some scenarios (safely) and test policies to satisfy your testing to ensure you get the behaviour you are expecting. Microsoft has also documented these steps so that you can do this. Their documentation gives you a few scenarios but you’ll need the Tor Browser to do this. If you have a license for Cloud App Security you can also feed the alerts in here instead of just remediating these through Azure AD. You’ll just need the minimum of a 30 day trial on Azure with ideally a P2 license to get the most benefit
Have fun learning!