Azure AD Identity Protection

I recently gave a talk on Azure Identity Protection at Phoenix Software in York and I wanted to give a summary about why you should consider reviewing the features and benefits whilst providing you with the Microsoft documentation and videos should you wish to learn more about the subject.

What is Azure AD and Identity Protection?

Azure AD is a modern identity and security platform built in the cloud and significantly enhances it’s predecessor Active Directory. Active Directory can be integrated with Azure AD so your company can leverage the benefits of Azure AD for your existing users and devices.

Identity Protection is a feature of Azure AD that helps you protect your organisation against ever evolving and continuous threats. These threats should be considered as both internal and external and Identity Protection will help you align to a strategy of a zero trust policy.

Identity Protection automatically detects identity-based risks and provides remedial action and reporting. Basically if Azure AD detects an account or identity is under threat it can take action automatically to protect, remediate and report on the problem. Azure AD administrators are also given the tools to further shape these mechanisms to align them with their business working practices and corporate policies.

These tools include, Multi-factor Authentication (MFA), Conditional Access Policies (CAP), Identity Protection Policies and Single Single On (SSO)

License Requirements

Where there’s a feature there’s a cost, here’s what you need to know about licensing for Azure AD Identity Protection with a P2 license you get the most detailed reporting

Identity Protection Overview

Documentation

Assessing Risk

Azure AD continually monitors activity related to your identities and can highlight where suspicious behaviour occurs.

Azure AD Identity Protection will make assessments on the following Risk Types:

User
Sign-in

These Risk Types can be calculated in Real-Time or Offline and Microsoft makes 2 recommendations for choosing acceptable risk levels

Set User Risk policy to High
Set Sign-in Risk policy to Medium and above

Be aware that by setting these policies for these risk types means that lower risks are not assessed as part of the process. The screenshot below shows the types of risks associated with user or sign-in activity.

What do these Risk Levels mean?

User Risk

User Risk is the probability that the identity has been compromised. Microsoft has mechanisms for evaluating this.

  1. Leaked Credentials
  2. Azure AD Threat Protection

Sign-in Risk

Sign-in Risk is is probability that the authentication requested was not initiated by the Identity owner. Microsoft has several mechanisms for evaluating this.

  1. Anonymous IP address
  2. Atypical travel
  3. Malware linked IP address
  4. Unfamiliar sign-in properties
  5. Admin confirmed user compromised
  6. Malicious IP address

Real-Time or Offline

User and Sign-In risks are detected in either Real-Time or Offline. You should be aware of which method risks are detected with and also the time it takes to show within a report

How to deploy identity Protection

How to use Identity Protection

Simulating Risks with Identity Protection

You may be left wondering how you will actually setup some scenarios (safely) and test policies to satisfy your testing to ensure you get the behaviour you are expecting. Microsoft has also documented these steps so that you can do this. Their documentation gives you a few scenarios but you’ll need the Tor Browser to do this. If you have a license for Cloud App Security you can also feed the alerts in here instead of just remediating these through Azure AD. You’ll just need the minimum of a 30 day trial on Azure with ideally a P2 license to get the most benefit

Simulate Risk Detections

Have fun learning!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s