introduction
Azure AD Identity Protection is a tool that allows organizations to do the following :
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to third-party utilities for further analysis.
The signals generated by Identity Protection, can be further send information to tools like:
- Conditional Access to make access decisions, ( which we have fully discussed it in previous articles
- security information and event management (SIEM) tool : for further investigation based on your organization’s enforced policies. (SIEM will be fully discussed also in coming articles )
Risk Classification
Identity Protection identifies risks in the following classifications: :
Atypical travel
- Sign in from an atypical location based on the user’s recent sign-ins.
Anonymous IP address
- Sign in from an anonymous IP address (for example: Tor browser, anonymizer VPNs).
Unfamiliar sign-in properties
- Sign in with properties we’ve not seen recently for the given user.
Malware linked IP address
- Sign in from a malware linked IP address.
Leaked Credentials
- Indicates that the user’s valid credentials have been leaked.
Password spray
- Indicates that multiple usernames are being attacked using common passwords in a unified, brute-force manner.
Azure AD threat intelligence
- Microsoft’s internal and external threat intelligence sources have identified a known attack pattern
Risk investigation
Administrators can review detections and take manual action on them if needed. There are three key reports that administrators use for investigations in Identity Protection:
- Risky users
- Risky sign-ins
- Risk detections
how to determine Risk levels
Identity Protection categorizes risk into three tiers:
- low
- medium
- and high.
unfortunately ,,
Microsoft does not provide specific details about how risk is calculated,
but,,,
we can say that each level brings higher confidence that the user or sign-in is compromised.
permissions required for identity protection
Identity Protection requires the following roles assigned :
Global administrator
- Full access to Identity Protection
Security administrator
- Full access to Identity Protection
Security operator
- View all Identity Protection reports and Overview blade
- Dismiss user risk, confirm safe sign-in, confirm compromise
Security reader
- View all Identity Protection reports and Overview blade
License requirements
identity protection requires an Azure AD Premium P2 license
even sometimes
AD Premium P1 license provide limited functionality for identity protection
conclusion
this was briefly concepts about Azure AD identity protection
hoping you to join us next article because we have more to talk about identity protection
