Using Azure AD Identity Protection for Risk Detection and Remediation

Using Azure AD Identity Protection for Risk Detection and Remediation

12/14/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in using Azure AD Identity Protection to detect, investigate, and remediate identity risks in their environments. Azure AD Identity Protection is a feature of Microsoft Entra ID (formerly Azure Active Directory) that automates the detection and remediation of identity-based risks, protecting organizations against threats such as compromised credentials, brute force attacks, and unauthorized access [1].

Introduction

Identities are the new security perimeter. With the shift to the cloud and remote work, protecting user identities has become more critical than ever. Phishing attacks, credential leaks, password spraying and access from unusual locations are constant threats that can lead to account compromise and, consequently, data breaches and service interruptions. Azure AD Identity Protection provides a proactive, automated solution to identify risky activities, assess the level of risk associated with users and sign-ins, and apply real-time remediation policies to protect your organization's identities [2].

This practical guide will cover the fundamental concepts of Azure AD Identity Protection, including risk detection types, user and sign-in risk policies, configuring these policies, integrating with Azure AD Conditional Access, and risk investigation and remediation. Step-by-step instructions, configuration examples will be provided so that the reader can implement and validate Azure AD Identity Protection, strengthening the security of their identities and ensuring an effective response to identity security incidents in an autonomous, professional and reliable way.

Why is Azure AD Identity Protection crucial?

  • Real-Time Risk Detection: Utilizes Microsoft machine learning and threat intelligence algorithms to automatically detect suspicious activity such as sign-ins from anonymous locations, infected IPs, impossible travel, and leaked credentials.
  • Adaptive Risk Assessment: Assigns a risk level (low, medium, high) to each user and input based on a variety of factors, enabling proportionate responses to the threat.
  • Automated Remediation Policies: Allows you to configure policies that automatically require MFA, reset passwords, or block access in response to specific risk levels.
  • Conditional Access Integration: Works in conjunction with Azure AD Conditional Access to enforce adaptive access controls based on identity risk.
  • Visibility and Investigation: Provides detailed reports on risk detections, risk users, and risk inputs, facilitating investigation and incident response.
  • Reduce SOC Workload: Automates triage and remediation of many identity incidents, freeing security staff to focus on more complex threats.

Prerequisites

To use Azure AD Identity Protection, you will need the following items:

  1. Licensing: Azure AD Identity Protection requires a Microsoft Entra ID P2 license (formerly Azure AD Premium P2) [3].
  2. Administrative Access: An account with the role of Security Administrator, Conditional Access Administrator or Global Administrator in the Azure portal (https://portal.azure.com).
  3. MFA Configured: For sign-in and user risk policies to work effectively, users must have Multi-Factor Authentication (MFA) configured and registered. Using Azure AD Multi-Factor Authentication is recommended.

Step by Step: Configuring Azure AD Identity Protection

We will configure risk policies to protect your identities.

1. Accessing Azure AD Identity Protection

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the necessary permissions.
  3. In the top search field, type Azure AD Identity Protection and select it from the results.

2. Configuring User Risk Policy

This policy defines the action to be taken when a user is detectedas being at risk (e.g. leaked credentials, persistent anomalous activity).

  1. In the Azure AD Identity Protection left navigation pane, select User risk policies.

  2. Responsibilities:

    • Under Users, select All Users or Select Individuals and Groups to apply the policy to specific users or test groups. To begin with, it is recommended to apply to a test group.
    • Optionally, you can Delete users and groups (e.g. service accounts, emergency administrators).

  3. Conditions:

    • Under User Risk, set the risk level that will trigger the policy (e.g. High). You can start with Medium and above and adjust as needed.

  4. Controls:

    • Access: Select Allow access.
    • Enforce policy: Select Require secure password change.
      • Explanation: If a user reaches the configured risk level, they will be forced to change their password at the next sign-in. This is crucial for leaked credentials.

  5. Enable Policy: Set to On.

  6. Click Save.

3. Configuring the Sign-in Risk Policy

This policy defines the action to be taken when a sign-in attempt is detected as being risky (e.g. from an unusual location, anonymous IP, infected IP).

  1. In the Azure AD Identity Protection left navigation pane, select Inbound risk policies.

  2. Responsibilities:

    • Under Users, select All Users or Select Individuals and Groups.
    • Optionally, you can Delete users and groups.

  3. Conditions:

    • In Input Risk, define the risk level that will trigger the policy (e.g. Medium).

  4. Controls:

    • Access: Select Allow access.
    • Enforce policy: Select Require Multi-Factor Authentication.
      • Explanation: If an entry is detected as risky, the user will be required to complete an MFA challenge, even if it is not normally required. This helps verify the user's identity.

  5. Enable Policy: Set to On.

  6. Click Save.

4. Configuring Registry MFA Policy

This policy ensures that new users or users who have not yet registered MFA are prompted to do so, which is a prerequisite for risk policies.

  1. In the Azure AD Identity Protection left navigation pane, select MFA Registration Policy.

  2. Responsibilities:

    • Under Users, select All Users or Select Individuals and Groups.
    • Optionally, you can Delete users and groups.

  3. Enforce Policy: Set to Enabled.

  4. Click Save.

5. Investigating Risky Users and Inputs

Identity Protection provides reports to monitor and investigate risky activities.

  1. In the Azure AD Identity Protection left navigation pane, select Risk Users.

    • This report lists users who have been detected as being at risk, along with their risk level and last risk detection.

  2. Click on a user to see the risk details, including specific risk detections (e.g. Leaked Credentials, Anonymous IP Entry).

  3. In the left navigation pane, select Risk Inputs.

    • This report lists sign-in attempts that were detected as risky, along with the risk level and sign-in details.

  4. Click a risk entry to view full details, including detection type, location, device, and application.

6. Remediating Risks Manually

Although policies automate remediation, you may need to manually remediate risks.

  1. For Risky Users:

    • In the Risk Users report, select a user.
    • You can choose Confirm User Compromised (this will trigger the User Risk policy, forcing a password change) or Dismiss User Risk (if you determine the risk is a false positive).

  2. For Risk Inputs:

    • In the Risk Inputs report, select an entry.
    • You can choose Confirm Compromise or Confirm Security (if it is a false positive).

Validation and Testing

Testing Azure AD Identity Protection is crucial to ensure policies are working properly.as expected.

1. Inbound Risk Simulation (Anonymous IP)

  1. Use a VPN or proxy to connect to the internet from a location other than your usual workplace that can be classified as an anonymous IP (e.g. a public proxy server, Tor).

  2. Try logging into the Azure portal or an Azure AD-connected application with a test account.

    • Expected Result: If the sign-in risk policy is set to Medium or High and Require Multi-Factor Authentication, you should be prompted to complete MFA. If the risk is High and the policy is set to Block access, access will be denied.

  3. Check the Risk Entries report in Azure AD Identity Protection. You should see a risk entry for the test account with the detection type Anonymous IP Entry.

2. User Risk Simulation (Leaked Credentials)

You cannot directly simulate leaked credentials, but you can test the user risk policy by setting a test user to the High risk level manually (for testing purposes only in a controlled environment).

  1. In the Risk Users report, select a test user.
  2. Click Confirm Compromised User (this will set the user risk to High and trigger the policy).
  3. Ask the test user to try to log in.
    • Expected Result: The user should be prompted to change their password at the next sign-in, as configured in the user risk policy.

3. Checking Audit Logs and Input Logs

  1. In the Azure portal, navigate to Azure Active Directory > Monitoring > Inbound logs.
  2. Filter the logs by Input Risk Status and User Risk Status to see inputs that were evaluated and actions taken.

Security Tips and Best Practices

  • Start with Reporting Mode: When configuring risk policies, start with Report Only mode to understand the impact of the policies before applying them in enforcement mode. This helps identify false positives without interrupting users.
  • User Education: Educate users about the importance of MFA and how to respond to password change requests or MFA challenges. Explain the benefits of Identity Protection to them.
  • Integration with Conditional Access: Use Identity Protection in conjunction with Conditional Access to create more sophisticated adaptive access policies. For example, blocking access to critical applications if entry risk is High.
  • Continuous Monitoring: Regularly monitor the Risk Users and Risk Inputs reports to investigate suspicious activity and ensure policies are working as expected.
  • Periodic Review of Policies: Review and adjust your risk policies regularly to adapt to changes in the threat landscape and business requirements.
  • SIEM/SOAR integration: Integrate Azure AD Identity Protection alerts with your SIEM (e.g. Microsoft Sentinel) for centralized view and more comprehensive incident response automation.
  • Prioritize Privileged Users: Focus on protecting highly privileged users (administrators) with the strictest risk policies.

Common Troubleshooting

  • Users are not prompted for MFA/password change: Verify that the user has an Azure AD P2 license. Make sure risk policies are Enabled and the user is included in the assignments. Check if the user has already registered MFA.
  • Risk false positives: Investigate risk detections to understand why they were triggered. You can Confirm Security for entries or Dismiss User Risk for users if you are sure there is no threat. Adjust risk policy conditions if necessary (e.g. increase the risk level that triggers the policy).
  • Users Improperly Blocked: If the sign-in risk policy is set to Block Access for a Medium or Low risk, this may result in excessive blocks. Review the risk level and policy action. Consider using Require Multi-Factor Authentication instead of Block access for medium risks.
  • MFA Registration Issues: Make sure the MFA Registration Policy is Enabled and users are includedyou. Check for other Conditional Access policies that may be interfering.
  • Risk detections do not appear: Verify that Identity Protection is enabled and there is authentication traffic in your Azure AD. It may take some time for risk detections to appear, especially for user risks.

Conclusion

Azure AD Identity Protection is an indispensable tool for protecting identities in modern cloud-based environments. By automating identity risk detection and remediation, it enables organizations to quickly respond to threats, reduce the attack surface, and strengthen their overall security posture. Careful implementation of risk policies, combined with user education and continuous monitoring, empowers security teams to proactively protect the most critical identities. With this practical guide, security professionals will be well-equipped to configure, validate, and manage Azure AD Identity Protection, ensuring their identities remain secure and resilient against ever-evolving cyber threats.

References:

[1] Microsoft Learn. What is Microsoft Entra ID Protection?. Available at: https://learn.microsoft.com/pt-br/entra/id-protection/overview-identity-protection [2] Microsoft Learn. What are risk detections?. Available at: https://learn.microsoft.com/pt-br/entra/id-protection/concept-identity-protection-risks [3] Microsoft Learn. Licensing requirements for Microsoft Entra ID Protection. Available at: https://learn.microsoft.com/pt-br/entra/id-protection/overview-identity-protection#license-requirements [4] Microsoft Learn. Configure risk policies for Microsoft Entra ID Protection. Available at: https://learn.microsoft.com/pt-br/entra/id-protection/howto-identity-protection-configure-risk-policies [5] Microsoft Learn. Investigate risks with Microsoft Entra ID Protection. Available at: https://learn.microsoft.com/pt-br/entra/id-protection/howto-identity-protection-investigate-risk [6] Microsoft Learn. Remediate risks and unblock users. Available at: https://learn.microsoft.com/pt-br/entra/id-protection/howto-identity-protection-remediate-unblock