Azure Identity Protection

Azure Identity Protection

Azure AD Identity Protection

Azure Active Directory Identity Protection permit to automate the detection and the remediation of identity-based risks. He permit to investigate risks using data and export risk detection data to third-party utilities.

Risk detection and remediation

Azure AD Identity Protection identifies the following risks :

  • Atypical travel : Sign in from an atypical location . It’s based on the user’s recent sign-ins.
  • Anonymous IP address : Sign in from an anonymous IP address (Tor browser, anonymizer VPNs, …).
  • Malware linked IP address : Sign in from a malware linked IP address.
  • Leaked Credentials : This risk detection permit to indicates that the user’s valid credentials have been leaked.
  • Azure AD threat intelligence : Microsoft’s internal and external threat intelligence sources have identified a known attack pattern.

License requirements

You can use Azure AD Identity protection with Azure AD basic/free licence, Azure AD P1 licence and Azure AD P2 licence. With basic, free and P1 licence the functionnality has limited.

Azure identity Protection licence

Set up Azure AD Identity Protection

From the Azure Portal, click on Create a resource

Azure identity Protection licence create ressource

On the Find field, enter Azure ad Identity protection. Click on Azure AD Identity Protection and click on Create.

Select Azure identity Protection
Create identity Protection

Click on All Services and enter Azure AD I on the field. Click on Azure AD Identity Protection on the central panel.

Open identity Protection

Create Identity Protection Policies

Azure AD Identity Protection containt three default policies.

  • User Risk Policy
  • Sign-in risk policy
  • MFA registration policy

User Risk Policy On the Identity Protection menu, click on User risk policy.

Configure User Risk

Click on Users and select the desired users and click on Done.

Select user

Click on Conditions. Select the desired level and click on Select.

Select Condition
Select risk level

Click on Access and select the desired access (block access or allow access).

Select risk level
Select risk level

With Estimated impact menu, you can view the number of users impacted.

Select risk level
Select risk level

Click on Save to save the modification.

Sign-in risk policy Select the desired users and the condition. Configure access that you want (block access or allow access).

Select the desired users
Select the risk
Select the desired access

MFA registration policy Select the desired users and configure the access menu for require Azure MFA Access.

Select users account
Configure require Azure MFA

Click On for enforce policy and click on Save.

Select on for enforce policy and click on Save

The policies has been configured.

Configure notification

From the Azure AD Identity Protection menu, click on Users at risk detected alerts.

Identity Protection Configure notifications on Azure AD Identitiy Protection

Configure the risk level and select the recipients of the email.

Identity Protection Configure the level and select the recipients

Click on Save and configure Weekly digest.

Simulate risk detections

Anonymous IP

From Tor browser navigate to myapps.microsoft.com.

Connect to myapps from tor browser

After few minutes, the notification appear.

After few minutes, the notification appear

Unfamiliar location

Using a VPN connection, I connect to the url myapps.microsoft.com from outside of my location (Paris in this example). An alert appear on Identity protection.

Identity Unfamiliar sign-in has detected

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.