Azure, Office 365, Technology

12. Managing Azure AD Protection

Contents

Understanding Azure Identity Protection with User and Sign in Risk policies

Azure Identity Protection helps with the following tasks:

  • Automate the detection and remediation of identity based risks (compromised accounts, phishing attacks etc…)
  • Investigate risks using easy to find data
  • Export risk data to third part tools for further analysis

Identity Risk Detection Engines:

  • Heuristics: the system monitors how the user uses the systems (when they usually logon, from where, which device etc…) and using Machine Learning can make decisions  based on this information
  • Microsoft Partner Products: These are 3rd party security products that can interface with Microsoft to detect security issues

Risk Types

  • User Risk: probability a user identity has been compromised
  • Sign-in Risk:  probability a sign in is compromised
    – Real Time (Decision based in Real Time)
    – Aggregate (Decision based on real Time and non-Real Time)

Risk Detection

  • Atypical travel (user logs in NYC, then 5 mins later they logon in LA)
  • Anonymous IP Address
  • Unfamiliar sign in properties
  • Malware linked IP address
  • Leaked Credentials
  • Azure AD Threat Intelligence

Risk Investigation:

  • Risk Users
  • Risky Sign ins
  • Risky Detections

 

Enabling & Monitoring Azure AD Identity Protection User & Sign-in Risk Policies

Looks like you need Premium 2 Licences for these features

Configuring User Risk Policy

  1. Go to Azure Portal -> Azure AD Identity protection -> User Risk policy
  2. Assignments: set the users you want to apply it to
  3. Conditions: here you set a risk level (low, medium or high). This is based on an algorithm Microsoft has created.
  4. Access: Block or Allow (with the option of forcing a password change)

Configuring Sign in  Policy

  1. Go to Azure Portal -> Azure AD Identity protection -> Sign in Risk policy
  2. Assignments: set the users you want to apply it to
  3. Conditions: here you set a risk level (low, medium or high). This is based on an algorithm Microsoft has created.
  4. Access: Block or Allow (with forcing MFA)

Reports

You can access the reports for these policies on the same page.

Leave a Reply

Your email address will not be published. Required fields are marked *