Manage Azure AD Identity Protection

Overview

Azure Active Directory (Azure AD) Identity Protection is a cloud-based identity and access management service that helps organizations detect, investigate, and remediate identity-based risks. It leverages machine learning and behavioral analytics to identify suspicious activities, such as:

  • Impossible travel and unfamiliar location sign-ins
  • Sign-ins from infected devices
  • Leaked credentials
  • Unusual sign-in activity

By providing visibility into these risks, Identity Protection empowers security teams to protect identities and prevent unauthorized access to organizational resources.

Getting Started

To start using Azure AD Identity Protection, you need an Azure AD Premium P2 license. The service is enabled by default for all Azure AD tenants with Premium P2 licenses. You can access its features through the Azure portal.

Prerequisites: Ensure your tenant has at least one Azure AD Premium P2 license assigned to a user.

Key Features

  • Risk Detection: Real-time detection of a wide range of identity-based risks.
  • Risk Policies: Configure policies to respond automatically to detected risks (e.g., require multi-factor authentication (MFA) or password reset).
  • Vulnerability Management: Identify and remediate common identity misconfigurations that increase risk.
  • Identity Protection reports: Gain insights into detected risks, user risk levels, and sign-in risks.

Configuration

Configuring Identity Protection involves defining risk policies and managing user risk levels. Here’s a high-level overview:

User Risk Policies

These policies trigger actions when a user is identified as being at risk. Common configurations include:

  • Require multi-factor authentication (MFA) for users at risk.
  • Require password reset for users at risk.
  • Allow users to dismiss their risk.

Sign-in Risk Policies

These policies trigger actions when a sign-in event is deemed risky. Common configurations include:

  • Require MFA for risky sign-ins.
  • Block access for risky sign-ins.

Policies can be configured to apply to all users, specific groups, or excluded users.

Recommendation: Start by enabling policies for MFA and password reset for users at moderate to high risk.

Monitoring & Reporting

Identity Protection provides several reports to help you monitor your security posture:

  • Risky users: A list of users flagged for risky sign-ins or user risk events.
  • Risky sign-ins: A list of sign-in events detected as risky.
  • Vulnerabilities: A list of identity misconfigurations that could increase risk.
  • Activity log: Detailed logs of all Identity Protection events.

You can also integrate these logs with other security tools like Azure Sentinel for advanced analysis and response.

Policies

Identity Protection policies are the core mechanism for automating responses to detected risks. You can define granular policies based on:

  • User Risk Level: Low, Medium, High.
  • Sign-in Risk Level: Low, Medium, High, Unknown.
  • Targeted Users/Groups: Apply policies to specific sets of users.

Example policy settings might be:


{
  "policyName": "Require MFA for High Risk Users",
  "policyState": "enabled",
  "userRiskLevelsIncluded": ["high"],
  "actions": {
    "allowGuestUserToDismiss": false,
    "defaultUserRiskLevelAction": "block",
    "riskEventTypes": [],
    "userRiskEventTypes": [],
    "linkCredentials": "none",
    "roles": [],
    " MFA": {
      "requireMfa": true,
      "state": "enabled"
    },
    "passwordReset": {
      "requirePasswordReset": false,
      "state": "disabled"
    }
  },
  "conditions": {
    "userRisk": {
      "levels": {
        "none": false,
        "low": false,
        "medium": false,
        "high": true
      },
      "operator": "OR"
    },
    "signInRisk": {
      "levels": {
        "low": false,
        "medium": false,
        "high": false,
        "unknown": false
      },
      "operator": "OR"
    }
  }
}

Integration

Azure AD Identity Protection integrates seamlessly with other Microsoft security services:

  • Azure Sentinel: Ingest Identity Protection logs for advanced SIEM capabilities.
  • Microsoft Defender for Cloud Apps: Correlate cloud app activities with identity risks.
  • Microsoft Graph API: Programmatically access Identity Protection data and manage configurations.

Best Practices

  • Enable MFA universally: Ensure all users have MFA enabled as a baseline defense.
  • Start with detection: Initially, focus on detecting risks and monitoring reports without blocking access, allowing time to tune policies.
  • Gradually enforce policies: As confidence grows, start enforcing stricter policies like MFA and password resets for higher risk levels.
  • Regularly review reports: Keep an eye on risky users and sign-ins to proactively address threats.
  • Educate users: Inform users about potential risks and the importance of secure practices.

Next Steps