Azure Identity Protection is a cloud-based service that helps protect your organization's identities from cyber threats. It's a crucial component of Azure Active Directory (Azure AD).
To set up Azure Identity Protection, you'll need to enable the service in your Azure AD tenant. This can be done through the Azure portal, under the Azure AD section.
Enabling Azure Identity Protection will trigger a series of automated checks to identify potential security risks in your organization. This includes monitoring for suspicious sign-in activity, unusual account behavior, and more.
Once enabled, Azure Identity Protection will automatically begin to detect and flag potential security threats, allowing you to take swift action to protect your identities.
Improving Security with Azure Identity Protection
Azure Identity Protection is a powerful tool for improving security, and it offers numerous benefits for organizations. It detects potential vulnerabilities affecting identities and investigates risky incidents, taking appropriate action to remediate issues and enforce multi-factor authentication.
With Azure Identity Protection, you can identify patterns using machine learning to enhance protection and reduce the account takeover risk. This is particularly important, as identity threats can be difficult to detect and respond to.
To get the most out of Azure Identity Protection, it's essential to configure email notifications for new risky users and sign-ins, as well as weekly digests to alert security team members. This ensures that potential issues are addressed promptly.
Azure Identity Protection also offers robust monitoring capabilities, allowing you to view and understand IAM policies, and create Azure Monitor dashboards to track risk trends and policy actions taken. You can also use the Identity Protection workbook template to gain insights through interactive reports.
Here are some key features of Azure Identity Protection's monitoring capabilities:
- Configure email notifications for new risky users/sign-ins and weekly digests.
- Review Identity Protection reports like risky users, sign-ins, and risk detections daily.
- Create Azure Monitor dashboards to view risk trends, policy actions taken, and track remediation status.
- Use the Identity Protection workbook template to gain insights through interactive reports.
- Export Identity Protection events via the Graph Security API to your SIEM solution.
- Correlate risk detections with other identity-related security events in your SIEM for enhanced monitoring.
- Configure playbooks in solutions like Azure Sentinel to trigger response workflows based on Identity Protection alerts.
By implementing these features, you can improve your organization's security posture and respond quickly to potential threats.
Configuring and Managing Azure Identity Protection
To configure Azure Identity Protection, you'll need to enable the user risk policy to enforce actions like MFA or password change for risky users.
Properly tuned risk policies act as automated sentinels, promptly responding to abnormal activity before incidents occur. Enable the sign-in risk policy to trigger MFA prompts or block access for risky sign-in attempts. Set appropriate thresholds for user/sign-in risks based on your security posture. Aggressive thresholds lead to more false positives.
To configure Azure Active Directory Identity Protection on Cortex XSOAR, you'll need to follow these steps: Navigate to Settings > Integrations > Servers & Services, search for Azure Active Directory Identity Protection, and click Add instance to create and configure a new integration instance. You'll need to provide the Application ID, Subscription ID, Azure Active Directory endpoint, and other required parameters.
Here are the required parameters for configuring Azure Active Directory Identity Protection on Cortex XSOAR:
Configure Risk Policies
To configure risk policies in Azure Identity Protection, you need to enable the user risk policy to enforce actions like MFA or password change for risky users. This will help you respond to user and sign-in risks detected through AI-driven risk modeling.
You can scope policies to all users or specific critical groups like administrators, based on coverage needed. Excluding emergency access accounts from the policies will prevent accidental lockout. It's essential to use report-only mode to evaluate policy impact before full enforcement.
To set appropriate thresholds for user/sign-in risks, consider your security posture. Aggressive thresholds may lead to more false positives. You can also export risk detections to your SIEM for further correlation and monitoring coverage.
Here are the key steps to configure risk policies:
- Enable the user risk policy to enforce actions like MFA or password change for risky users.
- Enable the sign-in risk policy to trigger MFA prompts or block access for risky sign-in attempts.
- Set appropriate thresholds for user/sign-in risks based on your security posture.
- Scope policies to all users or specific critical groups like administrators.
- Exclude emergency access accounts from the policies.
- Use report-only mode to evaluate policy impact.
- Export risk detections to your SIEM.
Remember to adjust policies periodically based on analysis of risk patterns in your environment. This will help you stay ahead of potential threats and ensure the effectiveness of your risk policies.
Exclude Emergency Accounts
Configuring Azure Identity Protection requires careful consideration of emergency access accounts. These accounts are essential for maintaining admin access to Azure AD in worst-case scenarios.
It's crucial to exclude emergency access or break-glass administrator accounts from the scope of Azure Identity Protection risk policies for user and sign-in risks.
To ensure these accounts remain secure, create at least two emergency access accounts in your Azure AD tenant and grant them global administrator privileges.
Explicitly exclude these accounts from the Conditional Access policies enforcing MFA, password reset, etc., for risky users/sign-ins.
Here's a step-by-step process for excluding emergency access accounts:
- Create at least two emergency access accounts in your Azure AD tenant.
- Ensure these accounts have global administrator privileges.
- Exclude these accounts from Conditional Access policies enforcing MFA, password reset, etc., for risky users/sign-ins.
- Document a process for keeping these accounts secure, including:
+ Regularly reviewing and updating account permissions.
+ Ensuring these accounts are not used for regular administrative tasks.
+ Monitoring account activity for suspicious behavior.
Authorization Instructions
Authorization Instructions are crucial for ensuring secure access to Azure Identity Protection.
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code EXAMPLE-CODE to authenticate. This step is essential for initiating the authorization process.
To complete the authorization, run the !azure-ad-auth-complete command in the War Room. This command will finalize the authentication process and grant access to the necessary resources.
Risk Detection and Remediation
Azure Identity Protection's risk detection capabilities are impressive, and it's essential to understand how they work. Azure Identity Protection uses AI-driven risk modeling to detect user and sign-in risks in real-time, assigning a risk level to each session.
Risk levels are determined by analyzing signals from Active Directory, Microsoft Accounts, and gaming with Xbox, among other sources. This broad range of signals helps detect risky behaviors like anonymous IP address usage, password spray attacks, and leaked credentials.
Azure Identity Protection's real-time risk detection evaluates each sign-in attempt, and the risk level determines the likelihood of an identity-based attack. Administrators can then decide whether to block access, allow access, or require multi-factor authentication based on the risk level.
Here are some remediation options available to administrators:
- Self-remediation with risk policy: Users can unblock their profiles with multi-factor authentication (MFA) and self-service password reset (SSPR) if they've previously registered.
- Manual password reset: Administrators can close the risk detection by generating a temporary password, which the user can then change on their next sign-in.
- Dismissing user risk: Administrators can dismiss the risk detection without requiring any action from the user if they determine the user identity isn't threatened.
Auth Reset
If you need to rerun the authentication process, simply run the command azure-ad-auth-reset.
This command resets your authorization and allows you to start the authentication process again.
To start the authentication process after resetting authorization, run the command azure-ad-auth-start.
Authorization was reset successfully with the azure-ad-auth-reset command.
Real-Time Risk Detection
Azure Identity Protection uses real-time sign-in detections to assign a risk level to each session, helping to identify suspicious activities such as anonymous IP addresses, password spray attacks, and credential exposure.
This continuous monitoring evaluates trillions of signals each day from Active Directory, Microsoft Accounts, and gaming with Xbox, making it a powerful tool to detect risky behaviors.
Azure Identity Protection runs all real-time sign-in detections during each sign-in attempt, generating a sign-in session risk level that indicates how likely the sign-in is compromised.
Based on this risk level, policies are then applied to protect the user and the organization, allowing administrators to decide whether to block access, allow access, or require multi-factor authentication.
Azure Identity Protection considers normal user behavior and uses that calculation to determine the risk of user impersonation, sending a signal to administrators who can then decide if they will block access or allow it.
Here are some examples of risky behaviors that Azure Identity Protection detects:
- Anonymous IP address usage
- Password spray attacks
- Leaked credentials
- and more...
These detections are based on the analysis of trillions of signals each day, making it a robust tool to protect organizations from identity-based attacks.
Multi-Factor Authentication and Policy Management
Enabling multi-factor authentication (MFA) registration policy for all users can block 99.9% of compromise attacks, making it a crucial step in safeguarding your organization's network and systems.
MFA requires more than one piece of evidence to confirm a user's identity, such as a fingerprint, face scan, or a trusted device or application like a mobile phone or email.
Organizations can choose Azure multi-factor authentication for every one of their members, and it's hard for attackers to access these secondary applications and devices, making it a robust defense against identity theft.
To implement MFA, organizations can enable policies for cloud services, applications, and systems, and enforce registration for all users, with the option to roll out gradually to minimize disruption.
Here are some key considerations for MFA registration policy:
- Enable policies for cloud services, applications, and systems, and enforce registration for all users.
- Educate users on MFA and how it safeguards their accounts.
- Provide clear instructions on enrolling their devices for MFA.
- Encourage users to register multiple verification methods as backups.
- Prioritize MFA registration for privileged accounts like administrators.
By implementing MFA and managing policies effectively, organizations can significantly reduce the risk of successful identity theft and protect their networks and systems.
Multi-Factor Authentication Policy
Implementing a multi-factor authentication (MFA) policy is crucial for safeguarding your organization's accounts and systems. By enforcing MFA, you can block 99.9% of compromise attacks, as Microsoft states.
To get started, consider enabling Azure AD Multi-Factor Authentication (MFA) for all users. This can be done by enabling policies for cloud services, applications, and systems, and enforcing registration for all users. A gradual rollout is also an option to minimize disruption.
MFA registration should be prioritized for privileged accounts like administrators, as it protects critical access. For mobile devices, ensure users have downloaded and activated the Microsoft Authenticator app. For desktops/laptops, guide users to enable phone-based MFA or FIDO2 security keys as the second factor.
It's essential to educate users on MFA and how it safeguards their accounts. Provide clear instructions on enrolling their devices for MFA and encourage users to register multiple verification methods as backups. Consider excluding break-glass accounts from MFA to prevent a lockout.
Here are some key considerations for implementing an MFA registration policy:
- Enable policies for cloud services, applications, and systems, and enforce registration for all users.
- Educate users on MFA and how it safeguards their accounts.
- For mobile devices, ensure users have downloaded and activated the Microsoft Authenticator app.
- For desktops/laptops, guide users to enable phone-based MFA or FIDO2 security keys as the second factor.
- Encourage users to register multiple verification methods as backups.
- Prioritize MFA registration for privileged accounts like administrators.
- Consider excluding break-glass accounts from MFA to prevent a lockout.
- Use report-only mode initially to gauge impact before enforcing registration.
- Evaluate if existing MFA solutions need to be phased out after the Azure AD MFA rollout.
- Monitor registration status and follow up with users who don’t complete registration after prompts.
Risk Policy
Risk Policy plays a crucial role in safeguarding your organization's network and systems. It's essential to configure risk policies to automatically respond to user and sign-in risks detected through Azure Identity Protection's AI-driven risk modeling.
Properly tuned risk policies act as automated sentinels, promptly responding to abnormal activity before incidents occur. This can be achieved by enabling the user risk policy to enforce actions like MFA or password change for risky users.
To create an effective risk policy, consider the following:
- Enable the sign-in risk policy to trigger MFA prompts or block access for risky sign-in attempts.
- Set appropriate thresholds for user/sign-in risks based on your security posture. Aggressive thresholds lead to more false positives.
- Scope policies to all users or specific critical groups like administrators, based on coverage needed.
- Exclude emergency access accounts from the policies to prevent accidental lockout.
By implementing these risk policies, you can prevent potential threats and contribute to your anti-phishing toolkit. Automated response policies are enforced based on the risk level assessed during the sign-in attempt, ensuring the user and your organization are safeguarded.
Azure Identity Protection calculates the probability that a sign-in has been compromised using the sign-in risk policy. This policy considers the user's location, device, and other factors as pre-set conditions to calculate a risk score.
The risk score determines the likelihood of an identity-based attack depending on any deviation from normal user behavior. If the risk is detected, the users can remediate the problem by resetting the password and ensuring the administrator doesn't receive too many signals.
Organizations can create a customer policy where they select the user's location, device, and other factors as pre-set conditions. This doesn't mean that users can't access a system unless they're using their phone and standing in a specific location in their office – it just means that, based on these conditions, the program calculates a risk score.
Here's a summary of the risk levels and corresponding actions:
By configuring risk policies and understanding the risk levels, you can effectively protect your organization's network and systems from potential threats.
Sources
- https://www.rezonate.io/blog/azure-identity-protection/
- https://www.apono.io/blog/what-is-azure-identity-protection-and-7-steps-to-a-seamless-setup/
- https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection
- https://amaxra.com/articles/azure-identity-protection
- https://xsoar.pan.dev/docs/reference/integrations/azure-active-directory-identity-protection
Featured Images: pexels.com