Azure AD Identity Protection

Understanding the Basics for Robust Security

Azure AD Identity Protection: Your First Line of Defense

Author Avatar By Microsoft Security Team Published: 5 min read

In today's complex threat landscape, securing identities is paramount. Microsoft's Azure Active Directory (Azure AD) Identity Protection is a powerful cloud-based identity detection and response solution that helps you detect, investigate, and respond to these threats. This article dives into the core concepts of Azure AD Identity Protection, providing a foundational understanding for anyone looking to bolster their organization's security posture.

What is Azure AD Identity Protection?

Azure AD Identity Protection leverages Microsoft's vast threat intelligence graph to analyze trillions of signals, allowing it to identify and flag potential risks associated with user identities and sign-ins. It works by:

  • Detecting anomalous sign-in activity, such as sign-ins from unfamiliar locations or at unusual times.
  • Identifying compromised credentials through leaked credential detection.
  • Assessing the risk associated with user accounts based on various factors.
  • Providing tools to investigate and remediate identified risks.

Key Features and Concepts

Azure AD Identity Protection offers a suite of features designed to provide comprehensive identity security:

1. Risk Detection

This is the engine that powers Identity Protection. It continuously monitors for suspicious activities, including:

  • User Risk: Indicates that a user account may be compromised. This can be due to factors like leaked credentials, brute-force attacks, or sign-ins from malware-infected machines.
  • Sign-in Risk: Indicates that a sign-in attempt itself is suspicious. This includes scenarios like:
    • Impossible travel: A user signing in from two locations that are geographically impossible to travel between in a short period.
    • Anonymous IP address: Sign-in from an anonymous proxy or Tor exit node.
    • Unfamiliar sign-in properties: Sign-in from an unfamiliar location, device, or application.
    • Malware-linked IP address: Sign-in from an IP address known to be associated with malware.
    • Suspicious input from a password spray: Detecting patterns indicative of a password spray attack.
  • Leaked Credentials: Azure AD scans for your organization's credentials (usernames and passwords) that have been found in known public data breaches.

2. Identity Protection Policies

Once risks are detected, you can configure policies to automatically respond:

  • User Risk Policy: Define what happens when a user account is flagged as at risk. Actions can include requiring a password change, restricting access, or allowing access but with a heightened level of monitoring.
  • Sign-in Risk Policy: Define what happens when a sign-in attempt is deemed risky. Options include requiring Multi-Factor Authentication (MFA), blocking the sign-in, or allowing access with a risk-based conditional access policy.

These policies can be customized based on the severity of the risk, ensuring that appropriate security measures are applied without hindering legitimate user access excessively.

3. Risk Score and Remediation

Each user and sign-in attempt is assigned a risk score, ranging from low to high. This score helps you prioritize your response efforts. Azure AD Identity Protection provides:

  • User Risk Levels: Low, Medium, High.
  • Sign-in Risk Levels: Low, Medium, High.

The platform offers built-in remediation actions, such as prompting users to reset their passwords or register for MFA, directly from the Azure portal. You can also integrate with other security tools for more advanced investigations.

4. Reporting and Dashboards

Visualize and understand your organization's identity security posture through comprehensive dashboards:

  • Risky Users: A list of users with detected risk, sortable by risk level.
  • Risky Sign-ins: A log of all sign-in attempts flagged as risky.
  • Vulnerability Assessment: Identifies weak points in your identity configurations.

Getting Started with Azure AD Identity Protection

Azure AD Identity Protection is a feature of Azure AD Premium P2. To begin, ensure your organization has the necessary licensing and then navigate to the Identity Protection section within the Azure portal.

Key initial steps include:

  1. Reviewing and configuring your User Risk Policy.
  2. Reviewing and configuring your Sign-in Risk Policy.
  3. Familiarizing yourself with the Risk Dashboard and Risky Users/Sign-ins reports.
  4. Ensuring MFA registration is enabled for your users as a foundational security control.

Conclusion

Azure AD Identity Protection is an indispensable tool for modern security. By understanding and implementing its features, organizations can significantly reduce their attack surface, protect against credential theft, and maintain a more secure identity environment. Continuously monitoring risks and adapting policies is crucial to staying ahead of evolving threats.

Ready to enhance your Azure AD security? Explore Conditional Access policies for more granular control.