Search the Petri IT Knowledgebase
search icon

close

Windows

Cloud

Microsoft 365

PowerShell

Active Directory

Security

Windows Server

Video

Microsoft Teams Day is back!

Register today!
Icon for Live Conference on December 8!

Live Conference on December 8!

GET-IT Microsoft Teams Conference

Icon for Live Webinar on Nov. 29th!

Live Webinar on Nov. 29th!

MVP Panel Talk: Do You Need to Backup Microsoft 36...

Icon for Live Webinar Coming Dec. 14th!

Live Webinar Coming Dec. 14th!

Recession Proof Your IT: How to Reduce IT Costs Wi...

Icon for New E-Book

New E-Book

Tracking Tasks in Microsoft 365

Home

Security

Secure Azure AD Using Identity Protection

Russell Smith

 |

Feb 17, 2017

In today’s Ask the Admin, I’ll provide a brief overview of the anomaly detection features used by Microsoft to keep cloud identities safe and how these features have been made commercially available to enterprises in the form of Azure Active Directory (AAD) Identity Protection.

 

 

Microsoft claims that 60 percent of all successful attacks rely on compromised credentials, so extra care needs to be taken to protect user identities in Active Directory (AD), and Microsoft’s cloud-based directory services solution, AAD. Microsoft Advanced Threat Analytics (ATA) is a product for protecting user accounts in on-premises AD, and while I haven’t seen it stated anywhere, it’s likely that many of the features in AAD Identity Protection are provided by ATA behind the scenes.

For more information on protecting user identities in on-premise AD using Microsoft ATA, see What Is Microsoft Advanced Threat Analytics? on the Petri IT Knowledgebase.

AAD Identity Protection goes beyond simple monitoring and reporting by allowing organizations to set risk-based policies that respond to issues when a specified risk level is reached. For instance, a policy could block access, force a user to reset their password, or stipulate the use of multifactor authentication. AAD configuration issues are also flagged, such as the alerts from AAD Privileged Identity Management and the presence of unmanaged cloud apps.

Azure Active Directory Identity Protection (Image Credit: Microsoft)

Azure Active Directory Identity Protection (Image Credit: Microsoft)

There are six risk event types that AAD Identity Protection detects and each is assigned a risk level: High, Medium, or Low.

  • Users with leaked credentials
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activity

Just like Microsoft ATA, AAD Identity Protection uses machine learning and behavioral analysis to detect malicious activity related to user identities. For each incident that is detected, a risk event is created. Some risk events can be detected in real-time, while others are detected offline. To mitigate risk events, actions defined in policy are activated when a certain risk level is reached.

The default risk level threshold is set to Medium, and Microsoft recommends planning carefully because although high thresholds reduce the frequency at which policies trigger mitigation actions, it also increases the risk of malicious activity. Low and Medium risk thresholds might introduce more inconvenience for users but are more likely to prevent credentials being compromised. Identity Protection allows administrators to select the users to which policies apply, so organizations can create policies for different risk groups.

Azure Active Directory Identity Protection Policy (Image Credit: Microsoft)

Azure Active Directory Identity Protection Policy (Image Credit: Microsoft)

Identity Protection is available as part of AD Premium P2 subscriptions, and you can sign up for a free trial at Microsoft’s website here.

In this article, I explained how AAD Identity Protection helps keep cloud user identities safe.

 

More from Russell Smith

Microsoft Teams

Free Microsoft Teams GET-IT Virtual Conference Dec 8
Apple iOS 16

This Week in IT - The UGLY Truth About the iPhone SE
Project Volterra

Windows on Arm - Does Project Volterra Solve the Performance Problem?

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

More in Security

Security

How to Enable Windows 11 Config Lock on Secured-Core PCs

Dec 2, 2022 | Dean Ellerby

Network Security

Microsoft Defender Vulnerability Management Now Supports Firmware Assessments

Nov 29, 2022 | Rabia Noureen

Cloud Computing and Security

Microsoft Entra Workload Identities Service is Now Generally Available

Nov 29, 2022 | Rabia Noureen

Security

Microsoft Authenticator to Enable Number Matching Security Feature by Default in February 2023

Nov 21, 2022 | Rabia Noureen

Cloud Computing

Microsoft Defender for Endpoint Adds Network Protection on iOS and Android

Nov 11, 2022 | Rabia Noureen

Network Security

What is a Software-Defined Perimeter?

Nov 11, 2022 | Sukesh Mudrakola

Most popular on petri

Article saved!

Access saved content from your profile page. View Saved

Reach out

Learn More

Sitemap

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy