How to set up Microsoft Azure AD Identity Protection to spot risky users

Whichever license of Azure Active Directory you own, you have options to set up alerts and automate actions to risky user behavior.

Targeting user behavior.
SARINYAPINNGAM / Danler / Getty Images

Do your users perform actions that put your organization at risk? If you have an Azure Active Directory (AD) Premium 2 (P2) license, you can set up risk alert rules that tell you when their actions are putting your firm at risk. You can also instruct it to take additional actions based on the activities seen by Azure AD Identity Protection at the sign-in process.  

If you have a Premium 1 (P1) license, you will receive a “Sign-in with additional risk detected” notice. The risk level and risk detail fields are hidden, but this might be enough to alert you to actions that put your firm at risk. There are different features included in Azure AD P1 versus Azure AD P2, and how each reports on risky user activities is just one of them.

Azure monitors how a user logs in and takes action if it sees unusual activity based on policies you set up. This setting is similar to the Microsoft 365 user login monitoring but focuses on the user login for Azure AD. You can purchase a single P2 license to add this level of protection for your global administrator accounts and leave the rest of your users with a P1 license or even at the basic Azure AD level. You may find conflicting information on the web, but you can mix and match Azure licenses to put together the best protection for your accounts. This is just one of many best practices that you can do for Azure AD as noted on this best practices checklist.

The risk event types Azure AD detects include:

  • Users with leaked credentials: This is done by comparing the credentials, monitoring public and dark web websites, and working with researchers, law enforcement, and security teams at Microsoft and other trusted sources.
  • Sign-ins from anonymous IP addresses: The service checks sign-ins in real time from an anonymous IP address (for example, Tor browser, anonymizer VPNs). These IP addresses are typically used by attackers who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent.
  • Impossible travel to atypical locations: This is done with a service that identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. The service actually calculates the time it takes to travel between the two locations and how it would be impossible to be in those two locations.

    The service ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. It takes two weeks for the system to learn the user’s behavior.
  • Sign-ins from unfamiliar locations and from IP addresses with suspicious activity: This is done in real time and is best when used with modern authentication and where basic authentication is disabled.
  • Sign-ins from infected devices: These are monitored and blocked.

Setting up Azure AD Identity Protection

To get started with Azure AD Identity Protection, you’ll need to add Azure AD Identity Protection through the Azure Marketplace under Security + Identity.

bradley azure ad 1 Susan Bradley

Look in the Azure AD Identity marketplace

Then log into the dashboard and review if you have users already at risk. In my sample account, it’s already flagged my user account as not having multi-factor authentication (MFA).

bradley azure ad 2 Susan Bradley

Azure AD Identity Protection page

Go to the Azure AD Identity Protection page and set up the sign-in risk policy. To set up the policy, click on “Azure AD Identity Protection – Sign-in risk policy”. Set the policy to either all users or selected users. Choose sign-in risk as high and click “Done”. Now it’s time to assign a control. Choose “Select a control” such as blocking the user or demanding that the user change their password. Save the policy.

You might think that choosing low risk will give you the best experience when setting up a new policy. However, it’s exactly opposite. The “high” value refers to how likely the event indicates a compromised identity and not the high risk of activities. It’s about high confidence that a high severity risk event indicates that any user accounts impacted should be remediated immediately.

If you choose low risk, it means more chance of a false positive. That is a low confidence and low severity risk event. This event may not require an immediate action, but when combined with other risk events, might provide a strong indication that the identity is compromised.

Azure AD risk reporting levels vary

Depending on the license of Azure AD you have, you may have different reporting levels. For example, if you have the Azure AD Free and Basic editions, you get a list of users flagged for risk. If you have Azure AD P1 edition you can dig deeper into the underlying risk events that have been flagged in the risk report. Finally if you have the Azure AD P2 version, you get the most detailed level of information. You can even set up security policies that respond to the triggered risks events flagged. You can mix and match different licenses and assign a P2 license just for your more risky users such as global admins.

Microsoft is in the process of expanding the risky user report with a more expanded version at the updated risky user report. While you review the risk report, take the time to review the identity secure score report.

Don’t forget to sign up for the IDG Tech Talk channel where you can see more videos of my Windows security tips.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!