Azure Identity Protection

Azure AD Identity Protection

Azure Identity Protection

Azure Active Directory Identity Protection permit to automate the detection and the remediation of identity-based risks. He permit to investigate risks using data and export risk detection data to third-party utilities.

Risk detection and remediation

Azure AD Identity Protection identifies the following risks :

  • Atypical travel : Sign in from an atypical location . It’s based on the user’s recent sign-ins.
  • Anonymous IP address : Sign in from an anonymous IP address (Tor browser, anonymizer VPNs, …).
  • Malware linked IP address : Sign in from a malware linked IP address.
  • Leaked Credentials : This risk detection permit to indicates that the user’s valid credentials have been leaked.
  • Azure AD threat intelligence : Microsoft’s internal and external threat intelligence sources have identified a known attack pattern.

License requirements

You can use Azure AD Identity protection with Azure AD basic/free licence, Azure AD P1 licence and Azure AD P2 licence. With basic, free and P1 licence the functionnality has limited.

Azure identity Protection licence

Set up Azure AD Identity Protection

From the Azure Portal, click on Create a resource

Create a resource on Azure Portal

On the Find field, enter Azure ad Identity protection. Click on Azure AD Identity Protection and click on Create.

Create Azure AD Identity Protection
Create Identity Protection

Click on All Services and enter Azure AD I on the field. Click on Azure AD Identity Protection on the central panel.

Azure Identity Protection open on azure Portal

Create Identity Protection Policies

Azure AD Identity Protection containt three default policies.

  • User Risk Policy
  • Sign-in risk policy
  • MFA registration policy

User Risk Policy On the Identity Protection menu, click on User risk policy.

User risk policy  create policy

Click on Users and select the desired users and click on Done.

Select desired user

Click on Conditions. Select the desired level and click on Select.

Click on Condition
Select the desired risk

Click on Access and select the desired access (block access or allow access).

Select the desired access
Select the desired access

With Estimated impact menu, you can view the number of users impacted.

Estimated users impacted
Impact user's by the Identity Protection policies

Click on Save to save the modification.

Sign-in risk policy Select the desired users and the condition. Configure access that you want (block access or allow access).

Select the desired users
Select the risk
Select the desired access

MFA registration policy Select the desired users and configure the access menu for require Azure MFA Access.

Select users account
Configure require Azure MFA

Click On for enforce policy and click on Save.

Select on for enforce policy and click on Save

The policies has been configured.

Configure notification

From the Azure AD Identity Protection menu, click on Users at risk detected alerts.

Configure notifications on Azure AD Identitiy Protection

Configure the risk level and select the recipients of the email.

Configure the level and select the recipients

Click on Save and configure Weekly digest.

Simulate risk detections

Anonymous IP

From Tor browser navigate to myapps.microsoft.com.

Connect to myapps from tor browser

After few minutes, the notification appear.

After few minutes, the notification appear.

Unfamiliar location

Using a VPN connection, I connect to the url myapps.microsoft.com from outside of my location (Paris in this example). An alert appear on Identity protection.

Unfamiliar sign-in has detected

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.