Risky User Azure Best Practices and Protection

To minimize the risk of compromised Azure accounts, it's essential to implement best practices for user management.

Using multi-factor authentication (MFA) is a crucial step in securing Azure accounts, as it adds an extra layer of protection beyond just passwords.

Azure's built-in MFA capabilities can be enabled for all users or specific groups, making it a flexible and scalable solution.

Regularly reviewing and updating Azure Active Directory (AAD) group memberships can help prevent over-privileged users from accessing sensitive resources.

By limiting access to sensitive resources and data to only those who need it, you can significantly reduce the attack surface of your Azure environment.

Azure's Just-In-Time (JIT) VM access feature allows you to grant temporary access to specific resources for a limited time, reducing the risk of persistent access to sensitive data.

Monitoring Azure account activity and alerting on suspicious behavior can help detect and respond to potential security incidents more quickly.

To prepare for integrating Netskope with Azure AD, you'll need a few things in place. You'll need an Azure AD account, which is a prerequisite for this configuration.

You'll also need to configure your Netskope tenant in Cloud Exchange, and make sure the User Risk Exchange module is set up. This will allow you to access the necessary API endpoints.

Here are the necessary permissions you'll need to obtain: Group.CreateGroup.ReadWrite.AllGroupMember.Read.AllIdentityRiskyUser.ReadWrite.AllUser.Read.All

Take a look at this: Exchange in Azure

To get started with this configuration, you need a Netskope tenant that's already set up in Cloud Exchange. You'll also need a Netskope Cloud Exchange tenant with the User Risk Exchange module configured.

A crucial step is obtaining an Azure AD account, which will provide you with the necessary credentials. You'll need to get your Azure AD Credentials, which involves obtaining and providing necessary permissions.

You'll require configuration details like Client ID, Client Secret ID, and Tenant ID. To do this, refer to Get your Azure AD Credentials for the details.

To ensure you have the necessary permissions, you'll need to grant the following permissions to your Azure AD account:

Lastly, make sure you have connectivity to the following hosts:

When preparing to update user state in Microsoft Entra ID Protection, it's essential to understand the supported entities, which include username and email address.

The state of the user can be updated using the "Update User State" action, which allows you to specify the state for the users.

Suggestion: Azure Ad Update User Attributes Powershell

The possible values for the state are Compromised.

To update the state, you'll need to provide a state value, which is a DDL (Domain-Defined List) type.

A default value of Compromised is available for the state parameter.

The state parameter is mandatory, meaning it's required to be filled in for the action to be successful.

The action will output a message indicating the result of the update operation.

Here are the possible output messages:

Risk Assessment is a critical component of Azure AD Identity Protection. It helps you understand the level of risk associated with each sign-in attempt. Azure AD Identity Protection assigns a risk level to each sign-in, which can be low, medium, or high.

The risk level is determined by various factors, including anonymous IP address use, atypical travel, malware-linked IP addresses, unfamiliar sign-in properties, leaked credentials, and password spray. These factors are used to calculate a risk score, which is then used to determine the risk level.

Broaden your view: Azure Active Directory Identity Protection

You can view the risk levels for users and sign-ins in the Azure Active Directory Security tab. The Risky sign-ins report shows the aggregate risk levels, sign-in information, and detection type for each sign-in attempt. Clicking on a sign-in attempt will give you more details about the risk level and why it was determined to be risky.

To further investigate a sign-in attempt, you should consider the following attributes:

By analyzing these attributes, you can determine the true risk level of the sign-in attempt and take appropriate action.

Here are some common risk detection types:

By understanding the risk assessment process and analyzing the risk detection types, you can take proactive steps to protect your organization from security threats.

Azure Identity Protection is a security service that provides a consolidated view of risky user activities and potential vulnerabilities affecting your identities.

It uses adaptive machine learning algorithms to detect anomalies and suspicious incidents such as leaked credentials, sign-ins from unfamiliar locations, infected devices, and impossible travel.

The service generates reports and alerts that enable administrators to investigate and respond to possible vulnerabilities.

Azure Identity Protection provides 5 key features to help protect against risky user activities: Risky sign-ins detection, Risky user detection, Risk-based conditional access policies, Reporting and investigation, and API access.

Here are some key features of Risky sign-ins detection:

By utilizing Azure AD Identity Protection, your organization can combat malicious sign-in attempts by assigning risk-levels to sign-ins and users, and automate remediation actions.

Azure Identity Protection offers robust protection features to safeguard your identities and detect potential vulnerabilities. It uses adaptive machine learning algorithms to detect anomalies and suspicious incidents such as leaked credentials, sign-ins from unfamiliar locations, infected devices, and impossible travel.

Risky sign-ins detection is a key feature of Azure Identity Protection, which analyzes sign-in patterns and flags anomalous ones like logins from unfamiliar locations, infected devices, or anonymous IP addresses.

Here are the 5 key features of Azure Identity Protection:

Investigating risky sign-ins requires careful analysis of various attributes, including the application being signed into, location, device, IP address, and user agent. You should also consider factors like device registration in Azure AD and compliance status.

Here are some key attributes to look out for:

Monitoring risky sign-ins can be done using Azure AD sign-in logs in a Log Analytics workspace or Microsoft Sentinel. You can query the logs to aid your investigations and hunt for threats. For example, you can run a query to see which risk detection types were the most common.

If this caught your attention, see: Azure Firewall Logs

Excluding emergency access accounts from risk policies is crucial to maintain admin access to Azure AD in worst-case scenarios.

Create at least two emergency access accounts in your Azure AD tenant and ensure they have global administrator privileges. This will give you a safety net in case of mass user lockouts due to policy misconfiguration or synchronization errors.

Explicitly exclude these accounts from the Conditional Access policies enforcing MFA, password reset, etc., for risky users/sign-ins. This will prevent accidental lockouts of your emergency access accounts.

Have a documented process for keeping these accounts secure, including regularly reviewing access and revoking privileges as needed. This will help prevent unauthorized access to your emergency access accounts.

Enriching entities is a crucial step in protecting your data. You can enrich entities using information from Microsoft Entra ID Protection.

The supported entities for enrichment are Username and Email Address, which must match an email regular expression pattern. This ensures that your data is accurate and up-to-date.

The enrichment process involves applying specific logic to determine when to apply certain fields. For example, the "is_deleted" field is applied when the data is available in JSON.

Here are the enrichment field names and their corresponding logic:

The result of the enrichment process is an output message that indicates the success or failure of the action. If data is available for one entity, the message will indicate that the entity was successfully enriched. If data is not available for one entity, the message will indicate that the entity was not enriched. If data is not available for all entities, the message will indicate that none of the entities were enriched.

Here's an interesting read: Azure Disable 2fa for User

Azure Identity Protection is a powerful tool that can detect potential vulnerabilities affecting identities, investigate risky incidents, and take appropriate action to remediate issues and enforce multi-factor authentication.

Detecting potential vulnerabilities is a crucial step in securing your organization's identities. Azure Identity Protection can identify patterns using machine learning to enhance protection and reduce the account takeover risk.

Here are some ways to configure email notifications for new risky users/sign-ins and weekly digests: Configure email notifications for new risky users/sign-ins and weekly digests.Alert appropriate security team members.

Regularly reviewing Identity Protection reports is essential for managing risks. You can review Identity Protection reports like risky users, sign-ins, and risk detections daily to stay on top of potential threats.

Creating Azure Monitor dashboards can help you view risk trends, policy actions taken, and track remediation status. You can also use the Identity Protection workbook template to gain insights through interactive reports.

Consider reading: Azure Cosmos Db User Assigned Identity

Malicious sign-in attempts are a common occurrence in organizations. Utilizing Azure AD Identity Protection can help you combat these sign-ins by assigning risk-levels to sign-ins and users.

Here are some ways to automate remediation actions and enhance your investigations with the additional risk details captured by Identity Protection: Create Azure Monitor dashboards to view risk trends, policy actions taken, and track remediation status.Use the Identity Protection workbook template to gain insights through interactive reports.Export Identity Protection events via the Graph Security API to your SIEM solution.Correlate risk detections with other identity-related security events in your SIEM for enhanced monitoring.Configure playbooks in solutions like Azure Sentinel to trigger response workflows based on Identity Protection alerts.

You might enjoy: Azure Identity