Search
  • François Peroux

How-To protect your identity with Azure AD Identity Protection

Updated: Jul 22, 2018




Introduction


AzureAD Identity Protection let's add another security layer in your identity management.


AadIP uses machine learning to analyze how your users are connected to your network and provides your security guidance to enforce and better protect your identity in the company.


Based on these results, AadIP can also detect and protect, automatically, based on the parameters you've configured.

For example:

  • If a user access his account from Montreal and Paris few minutes after - AadIP will enforce Multi-Factor Authentication (MFA) sign-in process because of this anomaly.

  • If a user access his Exchange Online account through a Tor browser, there is lot of chance that the user password is compromised - AadIP will block the access from Tor and ask the password to be changed on the next log on from a safe place.

With a ready-to-use overview interface, your IT team can monitor any flagged risk event and acts if it's required. Reporting tool is also available and can be easily configured.

Azure Identity Protection - Overview

In this article, how to activate AzureAD Identity Protection in your Azure tenant and how to configure the Sign-in risk and User risk.


Use Cases

In this scenario, the best use case is to add another security layer in your identity process.

  • Ask for MFA automatically when the location place is abnormal.

  • Act automatically if a user account seems to be compromised.


How-To

The first part of this how-to, we are going to see how to activate AzureAD Identity Protection and how to configure it. Finally, how the user experience is.


Activate AzureAD Identity Protection


AadIP is available for the following plans:

  • Enterprise Mobility+Security (EMS) E5 plan - Already includes Azure AD P2

  • Azure AD P2


To add Azure AD Identity Protection on your Azure portal:


  1. Click on All services.

  2. Search for Azure Identity Protection.

  3. Click on Azure AD Identity Protection - you can also add it to your favorite (left pane) by clicking the star.

The AadIP portal is now loading. To begin the activation process, click on Onboard.


A new blade appears with the details of which Directory will be under the protection.


Simply click Create to begin the creation and onboard your directory within AadIP.


Configure AzureAD Identity Protection


Three sections can be configured with AadIP:

  • MFA Registration

  • User risk policy

  • Sign-in risk policy


MFA Registration Configuration

As of today, Multi-Factor Authentication (MFA) is another security you can add to the simple password process. Then, user who tries to access your business perimeter can verify his identity with something he owns (a phone, secured application code ...).


In AzureAD Identity Protection, multi-factor authentication registration will enforce the configuration of MFA based on the user(s) or group(s) you've selected.


This will ensure that all your users in the company will have MFA properly configured.


To configure Multi-Factor Registration, follow these steps:

1. Chose the Users - suggestion is to select the group of users you want to target.


2. Select the control: in this case, only Require Azure MFA registration is available.


3. Then, enforce the policy by turning it On and Save the policy.









As a user perspective, if MFA wasn't already configured, the MFA registration process is beginning as follow:

1. The user has to configure MFA.


or


2. Skip it for the moment (this parameter can be changed).






By clicking Next, the MFA configuration process begins.


Understand the Risk Level

Before we continue with the user risk and sign in risk policy, it's good to have a better understanding of what and how the risk level is evaluated.


There is three level of risk: High, Medium and Low. In fact, you can't configure by yourself what trigger defines the risk level.


Parameters are chosen and defined by Microsoft to design the protection service behind.


This table shows you pretty well which kind of event can trigger the different levels.


Risk Level and corresponding Event Type

By now, there is 6 events who are triggered by AadIP and they are separate by risk policy:


User risk policy

  • Users with leaked credentials

Sign-in risk policy

  • Sign-ins from anonymous IP addresses

  • Impossible travel to atypical locations

  • Sign-ins from infected devices

  • Sign-ins from IP addresses with suspicious activity

  • Sign-ins from unfamiliar locations

Source: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events

With that in mind, you'll better understand the risk level I've recommended for the user and sign-in risk policies.


User risk policy Configuration

This policy is user centric - this concerns risks based on compromised user account credentials.


This is the reason why this policy is acting on the user password if the risk level defined on the policy is reached.


The following describes how to configure the user risk policy - based on recommendations:

1. Chose the Users - suggestion is to select the group of users you want to target.


2. User Risk level has to be selected. Recommendation is to set the risk level at High.


Note: If you select a lower risk level, Medium/Low risk events happened more often - each time the user is triggering a Medium/Low event, he will have to change his password.


3. Access control has to be selected, by default, the password change is required (and it's the recommended setting).


Note: You can also block the user to sign-in. If you do so, your IT team will have to analyze the user risk event and unlock the user. It could cause a lot of noise and support tickets.


4. Finally, enforce the policy with On and save it.


Sign-in Risk Policy Configuration

This policy is sign-in centric - this concerns risks based on compromised account ownership.


This is the reason why this policy is acting on the owner verification - with multi-factor authentication - if the risk level defined on the policy is reached.


The following describes how to configure the sign-in risk policy - based on recommendations:


1. Chose the Users - suggestion is to select the group of users you want to target.


2. User Risk level has to be selected. Recommendation is to set the risk level at Medium and above.


3. Access control has to be selected, by default, the require multi-factor authentication (and it's the recommended setting).


Note: You can also block the user to sign-in. If you do so, your IT team will have to analyze the user risk event and unlock the user. It could cause a lot of noise and support tickets.


4. Finally, enforce the policy with On and save it.


As a user experience perspective this is how the sign-in risk policy acting:


Situation 1: Sign-in is occurring from unfamiliar location - MFA configuration is required but hasn't been configured yet.


In this case, the account is simply locked and sign-in is impossible.

Moreover, MFA configuration can't be done from this location to avoid this unknown person to complete the MFA configuration and access the account.


The following message appears.


Situation 2: Sign-in is occurring from unfamiliar location - MFA is already configured for this account.


Just right away after the password entered, a clear message (see below) explains the reason of the suspicion and ask to the user to verify the account ownership with another identity factor. MFA is asked.




Conclusion

AzureAD Identity Protection is another layer of security you can use by itself or leverage more actions and capabilities with Conditional Access.


Your security is improved by automatic and powerful machine learning mechanisms and save you hours of research within logs to find where your identity security have flaws.


Moreover, identity security breaches are automatically mitigated by AzureAD Identity Protection.

57 views

WEEKLY NEWSLETTER 

EasyCloud365

BY FRANCOIS PEROUX

Security Consultant

  • Twitter Icône sociale