Azure Active Directory Identity Protection permit to automate the detection and the remediation of identity-based risks. He permit to investigate risks using data and export risk detection data to third-party utilities.

Risk detection and remediation

Azure AD Identity Protection identifies the following risks :

• Atypical travel : Sign in from an atypical location . It’s based on the user’s recent sign-ins.

• Anonymous IP address : Sign in from an anonymous IP address (Tor browser, anonymizer VPNs, …).

• Malware linked IP address : Sign in from a malware linked IP address.

• Leaked Credentials : This risk detection permit to indicates that the user’s valid credentials have been leaked.

• Azure AD threat intelligence : Microsoft’s internal and external threat intelligence sources have identified a known attack pattern.

License requirements

You can use Azure AD Identity protection with Azure AD basic/free licence, Azure AD P1 licence and Azure AD P2 licence. With basic, free and P1 licence the functionnality has limited.

Set up Azure AD Identity Protection

From the Azure Portal, click on Create a resource

On the Find field, enter Azure ad Identity protection. Click on Azure AD Identity Protection and click on Create.

Click on All Services and enter Azure AD I on the field. Click on Azure AD Identity Protection on the central panel.

Create Identity Protection Policies

Azure AD Identity Protection containt three default policies.

• User Risk Policy

• Sign-in risk policy

• MFA registration policy

User Risk Policy On the Identity Protection menu, click on User risk policy.

Click on Users and select the desired users and click on Done.

Click on Conditions. Select the desired level and click on Select.

Click on Access and select the desired access (block access or allow access).

With Estimated impact menu, you can view the number of users impacted.

Click on Save to save the modification.

Sign-in risk policy Select the desired users and the condition. Configure access that you want (block access or allow access).

MFA registration policy Select the desired users and configure the access menu for require Azure MFA Access.

Click On for enforce policy and click on Save.

The policies has been configured.

Configure notification

From the Azure AD Identity Protection menu, click on Users at risk detected alerts.

Configure the risk level and select the recipients of the email.

Click on Save and configure Weekly digest.

Simulate risk detections

Anonymous IP

From Tor browser navigate to myapps.microsoft.com.

After few minutes, the notification appear.

Unfamiliar location

Using a VPN connection, I connect to the url myapps.microsoft.com from outside of my location (Paris in this example). An alert appear on Identity protection.