Tag Archives: Azure AD Identity Protection

#Azure AD : All about Azure Active Directory


IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing

B2C

Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.

Advertisements

#AzureAD : Identity Protection Part III


Part I and Part II of this blog post covers basic of identity protection, how to enable and configure it. In this post, I’ll cover remaining part of Identity Protection. Once you have enabled Identity protection and configured it successfully then monitoring, investigation and reporting become crucial part of the information risk management. Azure AD portal fulfills your need through a single control panel.

To investigate the users flagged for risk, risk events and vulnerabilities can be found under “INVESTIGATE”.

You can see or download the report and can change the user risk policy configuration through “User flagged for risk” panel.

Risk events for last 90 days can be seen under risk events and the same report can be downloaded as well. If you have a list of know IP address ranges then you can define it as well so that report doesn’t reflect trusted IP ranges. To add IP address ranges, select “+ Add known IP address ranges”.

In the configure locations panel, select “+New location” and then define the name and IP ranges. You can also upload and download the IP ranges.

You can also configure MFA trusteed IPs by selecting “…More” in configure location panel.

You can check the vulnerabilities with risk in the vulnerabilities panel and fix it based on your supported organization risk level.

You can also setup the alerts and weekly digests through email.

To setup the alerts, go to alerts section under settings and configure the alerts settings based on user risk level.

To setup a weekly digest, go to the weekly digest section and enable/disable it.

If you would like to pin Azure AD Identity protection to dashboard then select “Pin to dashboard”. In Pin to dashboard panel select “Pin to dashboard” and click on create.

Now, you can see Azure AD Identity protection at dashboard for easier access.

#AzureAD : Identity Protection Part II


In Part I of this blogpost, I had explained the concept of Azure AD Identity protection and how to set it up. In this part, I’ll cover Azure AD Identity Protection configuration. There are three major sections under configure i.e. “MFA registration”, “User risk policy” and “Sign-in risk policy”.

Under all these configuration options, you will find 5 parameters.

Policy Name: Predefined

Assignments: Users and Conditions (not for MFA)

Controls: Access control

Review: Estimated impact

Enforce Policy: On/Off

Let see how to configure MFA registration.

Under assignments, select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Under controls, define access registration.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

In further configuration, let see how to configure users risk policy.

Under assignments, first select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Now define the conditions when the policy should apply.

Under controls, define access control by accessing user risk.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

Finally, let see how to configure sign-in risk policy.

Under assignments, first select the users. You have three options to go with, (i) select all users (ii) select specific users and groups (iii) select all users and exclude the specific users.

Now define the conditions when the policy should apply.

Under controls, define access control by accessing sign-in risk.

Under review, look at the estimated impact.

Now, finally enforce the policy and click on save.

I have just shown an example, how to configure these settings. You should configure these settings based on your requirements.

#AzureAD : Identity Protection Part I


Microsoft Azure Active Directory has become a backbone for many cloud services. As Identity is a key for technology landscape similarly protection is also most important for digital world. To enable this service, Microsoft Azure AD Premium P2 offers identity protection. It detects potential vulnerabilities and actions can be defined in two ways either automatic or can be taken based on suspicions incidents.

In conversations, it looks very easy when you listen explanation from Technical sales representative but it is not that easy. Microsoft Azure AD uses machine learning and heuristics to detect irregularities and suspicious incidents that helps to identify potentially compromised identities. It does not provide protection only to privileged account but covers all the identities. Therefore, a huge data can be collected to generate reports and to perform analysis that helps to identify ambiguities in the system and potential vulnerabilities. Mitigation and remediation actions can be defined based on the detected issues by using risk-based policies. These policies are add-on to the conditional access provided by Azure AD and EMS, it can take either block the suspicious identities or initiate a remediation actions including password reset and MFA enforcement.

Here are the capabilities provided identity protection:

Detecting vulnerabilities and risky accounts Investigating risk events Risk-based conditional access policies
  • Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
  • Sending notifications for risk events
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
  • Calculating sign-in risk levels
  • Investigating risk events using relevant and contextual information
  • Policy to block or secure risky user accounts
  • Calculating user risk levels
  • Providing basic workflows to track investigations
  • Policy to require users to register for multi-factor authentication
  • Providing easy access to remediation actions such as password reset
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges

Courtesy: Microsoft Azure Documentation

In many organizations, identity protection comes under security or risk management team. Therefore, it is more practical to have role based access control to manage these kinds of services. However, if identity management team itself take care of identity protection, still to define RBAC make sense because it makes administrators accountable and responsible. Azure AD identity protection provides three types of role to manage it.

Role Can do Cannot do
Global administrator Full access to Identity Protection, Onboard Identity Protection
Security administrator Full access to Identity Protection Onboard Identity Protection, reset passwords for a user
Security reader Read-only access to Identity Protection Onboard Identity Protection, remidiate users, configure policies, reset passwords

Courtesy: Microsoft Azure Documentation

Let see how to enable it. Before proceeding it further, make sure you have Azure AD Premium P2 enabled for your tenant.

Login to the https://aad.portal.azure.com and go to the More services.

In more services, select Azure AD Identity Protection.

In Azure AD Identity Protection – Getting started page, select “Onboard”

In this panel, make sure you have right directory selected and then click on create.

Once it is enable, you can see the analysis.

If you want to explore more to review the permanent admin roles, go to the overview and click on “Identify users who are assigned to permanent admin role” to configure Privileged identity management.

In the configure premium extensions panel, select “Configure PIM”

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.