In our last articles we have discussed on, how to configure Azure Self-Service Password Reset (SSPR). Today In this article, we will continue with one more important and crucial Azure Service is Azure AD Identity Protection.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure AD Identity Protection :
Azure Active Directory (Azure AD) Identity Protection allows us to detect potential vulnerabilities affecting our organization’s identities, configure automated responses, and investigate incidents.
We can say Identity Protection is a tool that allows organizations to accomplish three key tasks.
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to third-party utilities for further analysis.
Risk Type :
Microsoft categorized all risks into following two types.
- User Risk – A User Risk represents the probability that a given identity or account is compromised.
- Sign-In Risk – A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. For example it checks for things like whether a user has signed in from an unfamiliar location or unfamiliar IP address.
Risk Detection Type :
Currently, Azure Active Directory detects following six types of risk detection.
- Users with leaked credentials.
- Sign-ins from anonymous IP addresses.
- Impossible travel to atypical locations.
- Sign-ins from infected devices.
- Sign-ins from IP addresses with suspicious activity.
- Sign-ins from unfamiliar locations.
Investigation Of Risk :
Azure AD Identity Protection provides organizations with following three reports and organization can use them to investigate identity risks in their environment.
- Risky Users Report- This reports comes with following information, which helps administrator to take appropriate decision. In the following image, we can see one risk user information.
- Which users are at risk, have had risk remediated, or have had risk dismissed?
- Details about detections
- History of all risky sign-ins
- Risk history
- Risky sign-ins Report – This reports comes with following information. In the following figure , we can see there is not risk from user’s sign-in
- Which sign-ins are classified as at risk, confirmed compromised, confirmed safe, dismissed, or remediated.
- Real-time and aggregate risk levels associated with sign-in attempts.
- Detection types triggered
- Conditional Access policies applied
- MFA details
- Device information
- Application information
- Location information
- Risk detections Report – The risk detections report contains filterable data for up to the past 90 days (3 months).
- Information about each risk detection including type.
- Other risks triggered at the same time
- Sign-in attempt location
- Link out to more detail from Microsoft Cloud App Security (MCAS).
Identity Protection policies :
Azure Active Directory Identity Protection includes three default policies that administrators can choose to enable. Each policies are configured separately and can be applied to all users or selected users and groups. We can also exclude users, for example if they are a member of an included group.
Policies are there to automatically enforce remediation steps, or we can view reports of risk users and risky sign-in attempts, for manual remediation. There are following three different policies.
1 . Azure MFA Registration Policy :
When we configure this policy, it helps organizations roll out Azure Multi-Factor Authentication (MFA) using a Conditional Access policy requiring registration at sign-in.
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. After I configured MFA policy for my tenant, when I tried to login from a different browser, I have asked to provide more information as shown in the following figure.
2 . Sign-in Risk Policy :
When we configured Sign-in Risk Policy, Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn’t performed by the user. Administrators can make a decision based on this risk score or risk level from Risky sign-ins Report. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication.
If risk is detected, users can also perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary task for administrators.
NOTE : Users must have previously registered for Azure Multi-Factor Authentication before triggering the sign-in risk policy. In our last article, we have discussed how to register user.
3. User Risk Policy :
User risk is a calculation of probability that an identity has been compromised. Administrators can make a decision based on this risk score information from User Risk Report and signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset.
In my environment, I have configured my User Risk Policy in a way so that, policy will enforce to block the user if it found the user has a risky identity. In the Risk Investigation section we have seen in the Risky Users Report (Figure 3) that the user “Uday@manasmoharanagmail.onmicrosoft.com” is a risky user shown in figure . So it blocked the user to sign-in as shown in the following figure.
Notify User :
In response to a detected account at risk, Azure AD Identity Protection generates an email alert with Users at risk detected as subject. The email includes a link to the Users flagged for risk report. As a best practice, we should immediately investigate the users at risk. I can configured the alert so that a specific admin group or user can get notification as shown in the following figure.
To Manage Azure AD Identity Protection service, the user should assigned with following roles
- Global Administrator
- Global Reader
- Security Reader
- Security Operator
- Security Administrator
To use this feature in full flex, it requires an Azure AD Premium P2 license. Azure AD Premium P1 license can eget very limited information from those three reports (Risky users,Risky sign-ins,Risk detections ) other wise there is no other support.
As I am exploring the Azure Identity and Access Management (IAM). Please let me know if I missed anything important or if my understanding is not up to mark. In our next article we will continue one more feature of Azure AD.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂 .