Contents
Understanding Azure Identity Protection with User and Sign in Risk policies
Azure Identity Protection helps with the following tasks:
- Automate the detection and remediation of identity based risks (compromised accounts, phishing attacks etc…)
- Investigate risks using easy to find data
- Export risk data to third part tools for further analysis
Identity Risk Detection Engines:
- Heuristics: the system monitors how the user uses the systems (when they usually logon, from where, which device etc…) and using Machine Learning can make decisions based on this information
- Microsoft Partner Products: These are 3rd party security products that can interface with Microsoft to detect security issues
Risk Types
- User Risk: probability a user identity has been compromised
- Sign-in Risk: probability a sign in is compromised
– Real Time (Decision based in Real Time)
– Aggregate (Decision based on real Time and non-Real Time)
Risk Detection
- Atypical travel (user logs in NYC, then 5 mins later they logon in LA)
- Anonymous IP Address
- Unfamiliar sign in properties
- Malware linked IP address
- Leaked Credentials
- Azure AD Threat Intelligence
Risk Investigation:
- Risk Users
- Risky Sign ins
- Risky Detections
Enabling & Monitoring Azure AD Identity Protection User & Sign-in Risk Policies
Looks like you need Premium 2 Licences for these features
Configuring User Risk Policy
- Go to Azure Portal -> Azure AD Identity protection -> User Risk policy
- Assignments: set the users you want to apply it to
- Conditions: here you set a risk level (low, medium or high). This is based on an algorithm Microsoft has created.
- Access: Block or Allow (with the option of forcing a password change)
Configuring Sign in Policy
- Go to Azure Portal -> Azure AD Identity protection -> Sign in Risk policy
- Assignments: set the users you want to apply it to
- Conditions: here you set a risk level (low, medium or high). This is based on an algorithm Microsoft has created.
- Access: Block or Allow (with forcing MFA)
Reports
You can access the reports for these policies on the same page.
