Protect cloud Identities with Azure Active Directory Identity Protection

Symantec released their latest Internet Security Threat Report in early June. This report includes data about infrastructure threats for year 2016. It says, for year 2016, near 1.1 billion identities has been exposed. Also for last 8 years total identity breach is around 7.1 billion which is almost equal to total world population.

In Identity infrastructure breach, most of the time advisories get in to the system using a legitimate user name and password belong to an identity in that infrastructure. This initial breach can be result of malware, phishing or pass-the-hash attack. If it’s a “privileged” account, it makes easier for advisories to gain control over identity infrastructure. But it’s not always a must. All they need is some sort of a breach. Latest reports show after an initial breach it only takes less than 48 hours to gain full control over identity infrastructure.

When we look in to it from identity infrastructure end, if someone provides a legitimate user name and password it allows access to the system. This can be from the user or an advisory. But by default, system will not know that. In local AD infrastructure, solutions like Microsoft Advanced Threat Analytics, Microsoft Identity Management helps to identify and prevent inauthentic use of identities. Azure Active Directory Identity Protection is a feature comes with Azure AD Premium, which can use to protect your workloads from inauthentic use of cloud identities.  It mainly has following benefits. 

• Detect vulnerabilities which affect the cloud identities using adaptive machine learning algorithms and heuristics.

• Issue alerts and reports to detect/identify potential identity threats and allow administrators to take actions accordingly. 

• Based on policies, force automated actions such as Block Access, MFA authentication or Password reset when it detects a suspicious login attempt. 

• Users with leaked credentials

• Sign-ins from anonymous IP addresses

• Impossible travel to atypical locations

• Sign-ins from unfamiliar locations

• Sign-ins from infected devices

• Sign-ins from IP addresses with suspicious activity

 

More information about Azure risk events can find here 

 

Let’s see how we start using Azure Active Directory Identity Protection. Before we start we need to have following, 

 

1) Azure Active Directory Premium P2 Subscription

2) Global Administrator account  

 

Once you have above, log in to Azure as Global Administrator.

 

1) Go to New | then type Azure AD Identity Protection 

 

 

2) On Azure AD Identity Protection page click on Create

 

 

3) Then it loads up a new page with Azure Directory details and feature details. Click on Create again to proceed. 

 

 

4) Once it is done, go on and search for Azure AD Identity Protection under more services. Then it will show the dashboard for the feature. 

 

 

5) In my demo environment, it is immediately detect that I have 257 user accounts without MFA. 

 

 

6) The beauty of this is, once it detects a problem it guides you to address the issue. If I double click on the MFA alert, I gets the Multi-factor authentication registration policy settings page, where I can enforce users to use MFA. 

 

 

Under the user assignment, I can force it for all users or group of users. 

 

 

Under the controls, by default it selected the Require Azure MFA registration option. 

 

 

Under the Review option we can evaluate the impact. 

 

 

Once configuration is done, we can enforce the policy using Enforce Policy option. 

 

 

7) Using Sign-in risk policy, we can define actions system need to take in an event it detects sing-in risk from user. In order to define policy settings, click on Sign-in risk policy in Azure AD Identity Protection Dashboard

 

 

8) Then it loads up the policy configuration page. 

 

 

Under the Assignments we can decide which users this policy applies to. It can be either All users or group of users. we also can exclude users from the selection. 

 

 

Under the Conditions, we can select the level of sing-in risk events need to consider in the policy. there are three options to select with which is low and above, medium and above or High.

 

 

Under the Access option we can define what system should do once it detect risk events. It can either block access completely or allow access with additional security conditions such as Require multi-factor authentication.

 

 

Using Review option we can see what kind of impact policy will make ( if there are any existing risk events). 

 

Once all these done, use Enforce Policy option to enforce it. 

 

 

9) In similar way using User risk policy we can define policy settings to handle risky users. 

 

10) We also can configure Azure AD Identity Protection to send alerts when it detects an event. To do that go to Alerts option in Azure AD Identity Protection Dashboard

 

 

In configuration page, we can define the lowest alert level that need to consider. So, any event equal to that level or above will send out as alert to the selected recipients. 

 

 

11) Azure AD Identity Protection also can send automated weekly email report with events it detected. In order to configure it go to Weekly Digest option in Azure AD Identity Protection Dashboard

 

 

In configuration page, we can select which recipients it should goes to. 

 

 

In this article, I explained what is Azure AD Identity Protection and how we can use it to protect cloud identities. Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com