Azure Identity Protection is the enigmatic sentinel of the Microsoft realm. Understanding the inner workings of Azure Identity Security Protection is essential to any information security officer, and will unlock the keys to an effective user risk policy.
Unsurprisingly, cyber attackers are sharp – they have found various ways to infiltrate and compromise digital applications. Sometimes, users make their malicious conquests even easier by using weak passwords, leaving over-privileges, and failing to recognize social engineering attacks.
So far, in 2023, 60% of medium-sized companies have reported theft of credentials. As a result, tools like Microsoft’s Azure Identity Protection have become a staple in protecting against compromised identities, account takeover, and misuse of privileges. With a strong identity protection foundation, organizations can adopt concepts like zero trust and confidently progress toward a dynamic, identity-centric model that keeps credentials safe.
In this article, we will discuss what Azure Active Directory Identity Protection is, its features, and its benefits. Then, we’ll review eight best practices to help you get the most out of Azure Identity Protection.
What is Azure Identity Protection?
Azure Identity Protection is a security service that provides a consolidated view of risky user activities and potential vulnerabilities affecting your identities. It uses adaptive machine learning algorithms to detect anomalies and suspicious incidents such as leaked credentials, sign-ins from unfamiliar locations, infected devices, and impossible travel.
The service generates reports and alerts that enable administrators to investigate and respond to possible vulnerabilities. It also provides remediation capabilities like password resets and multi-factor authentication (MFA) enforcement to resolve issues.
What are the Main Features of Azure Identity Protection?
Here are 5 key features of Azure Identity Protection:
- Risky sign-ins detection – Analyzes sign-in patterns and flags anomalous ones like logins, unfamiliar locations, infected devices, or anonymous IP addresses.
- Risky user detection – Identifies potentially compromised user accounts based on indicators like leaked credentials, suspicious inbox activities, and impossible travel.
- Risk-based conditional access policies – Automatically blocks or challenges sign-ins and users via MFA or password change.
- Reporting and investigation – Provides reports on risky users and sign-ins with detailed drill-downs for security teams to investigate.
- API access – Allows exporting risk detections to SIEMs for further correlation and automated workflows.
How Can Azure Identity Protection Improve Security
Overall, Azure Identity Protection has numerous benefits for organizations, including:
- Detects potential vulnerabilities affecting identities.
- Investigates risky incidents and takes appropriate action.
- Remediates issues and enforces multi-factor authentication.
- Identifies patterns using machine learning to enhance protection.
- Reduces the account takeover risk.
- Promptly identifies, investigates, and responds to identity threats.
- Helps you view and understand IAM policies.
How to Get the Most out of Azure Identity Protection
1. Engage Stakeholders Early
Securing buy-in and clarity on expectations upfront from internal stakeholders like IT security teams, infrastructure/operations teams, application owners, business leaders, etc., ensures smooth adoption and optimal use of Identity Protection, which maximizes ROI.
Tips:
- Identify all stakeholders impacted by Identity Protection, such as security admins, IT teams managing authentication systems, application owners, helpdesk, etc.
- Conduct workshops to demonstrate Identity Protection capabilities like risk modeling, automated response, and reporting.
- Define their roles and responsibilities in deploying, supporting, and getting value from the solution.
- Get their input on policies, alerts, and integrations with other tools like SIEM based on their needs.
- Keep them updated on timelines, changes, and requirements from their side.
- Set up an onboarding plan for users impacted by MFA registration and risk policies.
- Create a support/escalation process for issues faced by users.
- Establish a feedback process for continuous improvement after rollout.
2. Configure Risk Policies
Azure Identity Protection allows the creation of Conditional Access policies to automatically respond to user and sign-in risks detected through its AI-driven risk modeling. Properly tuned risk policies act as automated sentinels, promptly responding to abnormal activity before incidents occur.
Tips:
- Enable the user risk policy to enforce actions like MFA or password change for risky users.
- Enable the sign-in risk policy to trigger MFA prompts or block access for risky sign-in attempts.
- Set appropriate thresholds for user/sign-in risks based on your security posture. Aggressive thresholds lead to more false positives.
- Scope policies to all users or specific critical groups like administrators, based on coverage needed.
- Exclude emergency access accounts from the policies to prevent accidental lockout.
- Use report-only mode to evaluate policy impact before full enforcement.
- Review automated remediations in usage reports to correlate risk detections with user/sign-in actions taken.
- Adjust policies periodically based on analysis of risk patterns in your environment.
- Export risk detections to your SIEM for further correlation and monitoring coverage.
- Ensure sufficient testing to balance security with user experience.
3. Require MFA Registration
The Azure Identity Protection policy for MFA registration prompts users to enroll for Azure AD Multi-Factor Authentication (MFA) during sign-in, strengthening account security beyond just passwords.
Tips:
- Enable policies for cloud services, applications, and systems, and enforce registration for all users. Gradual rollout is also an option to minimize disruption.
- Educate users on MFA and how it safeguards their accounts. Provide clear instructions on enrolling their devices for MFA.
- For mobile devices, ensure users have downloaded and activated the Microsoft Authenticator app.
- For desktops/laptops, guide users to enable phone-based MFA or FIDO2 security keys as the second factor.
- Encourage users to register multiple verification methods as backups.
- Prioritize MFA registration for privileged accounts like administrators to protect critical access.
- Consider excluding break-glass accounts from MFA to prevent a lockout.
- Use report-only mode initially to gauge impact before enforcing registration.
- Evaluate if existing MFA solutions need to be phased out after the Azure AD MFA rollout.
- Monitor registration status and follow up with users who don’t complete registration after prompts.
4. Exclude Emergency Accounts
When configuring Azure Identity Protection risk policies for user and sign-in risks, excluding emergency access or break-glass administrator accounts from the scope is crucial. The rationale is to maintain admin access to Azure AD in worst-case scenarios like mass user lockouts due to policy misconfiguration or synchronization errors.
Tips:
- Create at least two emergency access accounts in your Azure AD tenant and ensure they have global administrator privileges.
- Explicitly exclude these accounts from the Conditional Access policies enforcing MFA, password reset, etc., for risky users/sign-ins.
- Have a documented process for keeping these accounts secure, including:
- Ensure the credentials are known only to designated people like CISOs, security leads, etc.
- Rotate the credentials periodically, ideally every 30-90 days.
- Monitor the accounts for any anomalous sign-in or usage patterns.
- Outline the verification process before use if accounts are accidentally locked out.
5. Add Trusted Locations
Configuring named locations for office networks and VPN ranges is an essential optimization for Azure Identity Protection’s risk modeling. By declaring internal networks as trusted/known locations, sign-ins originating from them will have lower risk scores in Identity Protection. This minimizes false positives and unnecessary challenges for users accessing resources on the internal corporate network.
Tips:
- Create named locations in Azure AD Conditional Access representing office IP ranges and VPNs.
- Mark on-premises office networks as ‘trusted locations’ once configured.
- Configure VPN IP ranges as named locations marked as ‘known.’
- Update location definitions if office networks or VPNs change.
- Verify location mappings by checking sign-in logs to see if IP addresses are correctly matching.
- Exclude unnamed/unknown locations from the trusted or known designations.
- Review sign-in logs periodically to validate mappings.
6. Enable Security Monitoring
Ongoing monitoring and alerting are critical for managing risks Azure Identity Protection detects. Robust monitoring is vital to realizing the value of Identity Protection. You can make risk visibility and response coordination a 24×7 capability through SIEM integration and smart workflows.
Tips:
- Configure email notifications for new risky users/sign-ins and weekly digests. Alert appropriate security team members.
- Review Identity Protection reports like risky users, sign-ins, and risk detections daily.
- Create Azure Monitor dashboards to view risk trends, policy actions taken, and track remediation status.
- Use the Identity Protection workbook template to gain insights through interactive reports.
- Export Identity Protection events via the Graph Security API to your SIEM solution.
- Correlate risk detections with other identity-related security events in your SIEM for enhanced monitoring.
- Configure playbooks in solutions like Azure Sentinel to trigger response workflows based on Identity Protection alerts.
- Document investigation and remediation processes for security operations.
7. Train End Users
An educated user base is less prone to lapses that can jeopardize account security. Continuous training and motivation help sustain user cooperation, which is crucial for successful Identity Protection usage.
Tips:
- Inform users about new Identity Protection policies like MFA registration and risk-based sign-in challenges. Explain the needs and benefits.
- Provide clear instructions on enrolling for MFA during sign-in prompts.
- Train users on proper password hygiene, like using strong passwords, password managers, and not reusing passwords across sites.
- Set up self-service password reset (SSPR) for accounts. Raise awareness about phishing attacks and how to identify suspicious emails or links.
- Inform users about reporting suspicious activity, like unfamiliar sign-in locations.
- Reward security-conscious behavior by employees to drive engagement.
- Track training completion rates and measure security awareness over time via red teaming.
8. Leverage Rezonate’s Identity Threat Protection
While Azure Identity Protection provides fundamental risk detection capabilities, solutions like Rezonate can augment protection for cloud identities and access. Rezonate is an identity threat protection platform that integrates natively with Azure AD and continuously analyzes identity and access patterns to uncover risks. Rezonate also protects and protects and monitors potential compromises of the Azure AD admin console and infrastructure, as experienced in July this year.
Key capabilities to help you maximize Identity Protection:
- Discovers all human and service identities across Azure AD, Okta, Google Workspace etc., and provides a unified view.
- Continuously monitors privileged access and entitlements to detect anomalies and generate actionable alerts.
- Correlates cross-cloud identity management, events, and user behaviors to identify sophisticated attack patterns.
- Recommends one-click remediation actions for resolving policy violations or mitigating risks.
- Automates response through integration with existing workflows like Azure playbooks.
- Provides easy-to-understand visualizations of identity relationships and access paths to resources.
Identify Vulnerabilities Before Attackers Do
Azure Identity Protection offers adaptive and intelligent capabilities to identify vulnerabilities, remediate risks, and enforce access controls. You can build a comprehensive identity-centric security strategy by leveraging features like risky sign-in policies and integrating Identity Protection with solutions like Rezonate. Rezonate provides unified visibility, detection, and response powered by industry-leading identity graphs. See Rezonate in action today.
