Azure Active Directory Identity Protection is a feature that is exclusively available in the Azure AD Premium P2 plan and certain Microsoft 365 Enterprise plans with advanced security features. It helps in detecting vulnerabilities impacting an organization’s user identities, configuring automatic responses to attacks trying to exploit them, and investigating the root cause of such incidents. Identity Protection (IP) uses the data available with Microsoft gathered from trillions of signals to protect customers. The key to protection is implementing IP policies correctly. Let us delve into the details of Risk Policies in Azure Active Directory Identity Protection.
Risk Detection In Azure AD
There are two types of risks that Azure AD IP uses to identify suspicious actions in user accounts that are registered in the directory.
A user risk is one which indicates the possibility of compromise of a user’s identity or account. Detection of leaked credentials or a known attack pattern that results in a divergence in a given user’s behavior from normal activity patterns is indicative of user risk.
The other type is a sign-in risk. This involves the calculation of the probability of request for authentication by someone other than the designated owner of an account. Various criteria such as a masked or malware linked IP address, geographical discrepancies, or suspicious inbox activities are used to detect the possibility of a sign-in risk.
Prerequisites for Managing Risk Policies
Both user risk and sign-in risk policies prepare organizations with automated responses to risk detections. They allow users to self-remediate if a risk has been detected. This requires users to register for both Self-Service Password Reset (SSPR) and Azure Multi-Factor Authentication (Azure MFA). This eliminates the requirement of intervention from the administrator and allows users to resume work faster. However, administrators have the visibility to the occurrence of these events and can analyze the resultant data. Additionally, the user enabling Identity Protection should have global administrator privilege and users with the security reader role will be able to access the service but not make the configuration changes.
Risk Levels and Exclusions Management
Risk level thresholds determine the frequency at which a policy is triggered. Managing the risk levels is necessary to establish a balance between user experience and the security stance of an organization. While a Low threshold increases the probability and frequency of a policy being triggered, it assumes an aggressive security stance. Conversely, a High threshold minimizes user interruption but may not be as effective in protecting users. Microsoft recommends setting the user risk policy threshold to High and the sign-in risk policy as Medium and above.
In addition to setting the risk level threshold, organizations can add exclusions to these policies in terms of the basis on which accounts are used. Certain users, such as admins may need exclusions from specific policies for emergency access and other exigencies. Others might need to add certain locations or IP addresses to minimize the chances of a policy being triggered due to false-positive signals.
Enabling Identity Protection Risk Policies
Both user risk and sign-in risk can be enabled and managed from the Azure portal.
- Navigate to Overview in Identity Protection on the Azure Portal.
- Follow the steps below for managing user risk policy.
i) Select Configure user risk policy option in Overview.
ii) Select between All users or Select individuals and groups options for Users under Assignments depending on the scale of the rollout. Alternatively, specific users can be excluded.
iii) Set an appropriate threshold for Conditions – User risk. The Microsoft recommended setting is High for this parameter.
iv) Select the appropriate value for Access under Control. Microsoft recommends that it is set to Allow access and Require password change.
v) Apply Policy-On and save the settings.
- Follow the steps below for managing sign-in risk policy.
i) Select Configure sign-in risk policy.
ii) Select either All users or Select individuals and groups in Users under Assignments depending on the rollout scale. Alternatively, you can set policy exclusion for specific users.
iii) Set Conditions – Sign-in risk to Medium and above or an option of your choice.
iv) Navigate to Controls and set the value in Access to Allow access and Require multi-factor authentication or any other suitable value.
v) Turn the Policy-On and save the changes.
Implementing Azure AD for Your Security
While all solutions in Microsoft Online Services use Azure for security and identity management, advanced capabilities such as Identity Protection and its associated components are available only in the Azure Premium P2 plan and Microsoft 365 E5 Plan which includes the former. As a Tier 1 Microsoft CSP for Azure, Apps4Rent provides managed Azure services at promotional prices with 24/7 phone, chat, and email support.
If you want to implement any Azure solution, feel free to contact us now!