Ensuring that your user identities are protected from modern attack vectors such as phishing schemes and credential leaks should be a critical part of your enterprise security strategy. When attackers gain access to a traditional user account, they can often use this access to elevate to higher privilege and gain greater control of your environment. Although controls such as multi-factor authentication (MFA) are often an effective preventative measure, factoring in the risk of all users and their associated sign-in events provides an even greater level of control.
Azure Identity Protection is a feature in Azure Active Directory Premium (AADP) Plan 2 (P2). Identity Protection provides a dashboard to investigate and remediate potential risks. You can apply sign-in and user risk policies to take real-time action when risks are detected. Identity Protection uses a complex machine learning system that takes signals from various sources to evaluate the risk of every sign-in in real time.
User Risk Policy in Identity Protection
If you have Identity Protection, you should ensure that the user risk policy is enabled for all of your users. The user risk policy looks for users who may be compromised by identifying vectors such as the user’s credentials being on a list of leaked credentials. For this detection to work, you must enable password hash synchronization in Azure Active Directory Connect (AADC).
You should enable password hash synchronization even if you are using federated authentication. With password hash synchronization enabled, Microsoft will flag any user who has a username/password that matches one on a leaked credential list. With Identity Protection, you can automatically require the user to change his or her password at the next sign-in after completing an MFA challenge.
A user risk policy configured to require a password change looks like this:
Sign-In Risk Policy
Sign-in risk evaluates the individual sign-in event, as opposed to the overall risk of the user. Various signals influence sign-in risk, but two common examples are impossible travel situations and access from anonymized IP addresses. Anonymized IP addresses are IP addresses associated with systems such as Tor, where Internet traffic is routed through various proxies that mask the user’s true location. Tor is a great tool to test Identity Protection policies.
Impossible travel evaluates the geolocation of IP addresses that sign-ins originate from and considers whether it is possible that the user could have signed in from those locations in the time period. For example, if a user signs in from New York City at 9:00 A.M. and then signs in from Shanghai at 11:00 A.M., it simply isn’t possible that the user traveled between New York City and Shanghai in 2 hours.
Based on the sign-in risk level (low, medium, or high), you can take action such as requiring the user to perform MFA. The sign-in risk policy applies globally, but you can use sign-in risk in conditional access policies for specific applications as well. For example, you might allow high-risk sign-ins with MFA, but for applications that contain very sensitive business information, you might configure a conditional access policy to block high-risk sign-ins to sensitive applications.
Protecting On-Premises Access
If you use the Azure Application Proxy, you can make traditional on-premises applications available remotely. Although Identity Protection does not extend to Active Directory (AD), if you use the Azure Application Proxy, you will also get the benefits of Identity Protection for on-premises applications. User risk and sign-in risk policies automatically apply, and you can use conditional access to further restrict access to specific on-premises applications based on sign-in risk.
Step Up to Identity Protection
Identity Protection is a major component of AADP P2. Although there is an added cost, there is simply no other way to get the same breadth of data about your users. Sign up for a 30-day trial in the Azure management portal, and start seeing data about the risks of your users and contact us today for expert consulting.