#AzureAD : Identity Protection Part I

Microsoft Azure Active Directory has become a backbone for many cloud services. As Identity is a key for technology landscape similarly protection is also most important for digital world. To enable this service, Microsoft Azure AD Premium P2 offers identity protection. It detects potential vulnerabilities and actions can be defined in two ways either automatic or can be taken based on suspicions incidents.

In conversations, it looks very easy when you listen explanation from Technical sales representative but it is not that easy. Microsoft Azure AD uses machine learning and heuristics to detect irregularities and suspicious incidents that helps to identify potentially compromised identities. It does not provide protection only to privileged account but covers all the identities. Therefore, a huge data can be collected to generate reports and to perform analysis that helps to identify ambiguities in the system and potential vulnerabilities. Mitigation and remediation actions can be defined based on the detected issues by using risk-based policies. These policies are add-on to the conditional access provided by Azure AD and EMS, it can take either block the suspicious identities or initiate a remediation actions including password reset and MFA enforcement.

Here are the capabilities provided identity protection:

Detecting vulnerabilities and risky accounts Investigating risk events Risk-based conditional access policies
  • Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
  • Sending notifications for risk events
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
  • Calculating sign-in risk levels
  • Investigating risk events using relevant and contextual information
  • Policy to block or secure risky user accounts
  • Calculating user risk levels
  • Providing basic workflows to track investigations
  • Policy to require users to register for multi-factor authentication
  • Providing easy access to remediation actions such as password reset
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges

Courtesy: Microsoft Azure Documentation

In many organizations, identity protection comes under security or risk management team. Therefore, it is more practical to have role based access control to manage these kinds of services. However, if identity management team itself take care of identity protection, still to define RBAC make sense because it makes administrators accountable and responsible. Azure AD identity protection provides three types of role to manage it.

Role Can do Cannot do
Global administrator Full access to Identity Protection, Onboard Identity Protection
Security administrator Full access to Identity Protection Onboard Identity Protection, reset passwords for a user
Security reader Read-only access to Identity Protection Onboard Identity Protection, remidiate users, configure policies, reset passwords

Courtesy: Microsoft Azure Documentation

Let see how to enable it. Before proceeding it further, make sure you have Azure AD Premium P2 enabled for your tenant.

Login to the https://aad.portal.azure.com and go to the More services.

In more services, select Azure AD Identity Protection.

In Azure AD Identity Protection – Getting started page, select “Onboard”

In this panel, make sure you have right directory selected and then click on create.

Once it is enable, you can see the analysis.

If you want to explore more to review the permanent admin roles, go to the overview and click on “Identify users who are assigned to permanent admin role” to configure Privileged identity management.

In the configure premium extensions panel, select “Configure PIM”

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s