Last Updated on July 16, 2017 by Dishan M. Francis

Symantec released their latest Internet Security Threat Report in early June. This report includes data about infrastructure threats for year 2016. It says, for year 2016, near 1.1 billion identities has been exposed. Also for last 8 years total identity breach is around 7.1 billion which is almost equal to total world population.

aip1

In Identity infrastructure breach, most of the time advisories get in to the system using a legitimate user name and password belong to an identity in that infrastructure. This initial breach can be result of malware, phishing or pass-the-hash attack. If it’s a “privileged” account, it makes easier for advisories to gain control over identity infrastructure. But it’s not always a must. All they need is some sort of a breach. Latest reports show after an initial breach it only takes less than 48 hours to gain full control over identity infrastructure.

When we look in to it from identity infrastructure end, if someone provides a legitimate user name and password it allows access to the system. This can be from the user or an advisory. But by default, system will not know that. In local AD infrastructure, solutions like Microsoft Advanced Threat Analytics, Microsoft Identity Management helps to identify and prevent inauthentic use of identities. Azure Active Directory Identity Protection is a feature comes with Azure AD Premium, which can use to protect your workloads from inauthentic use of cloud identities.  It mainly has following benefits. 

Detect vulnerabilities which affect the cloud identities using adaptive machine learning algorithms and heuristics.

Issue alerts and reports to detect/identify potential identity threats and allow administrators to take actions accordingly. 

Based on policies, force automated actions such as Block Access, MFA authentication or Password reset when it detects a suspicious login attempt. 

According to Microsoft https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection Azure AD Identity protection has following capabilities.

Detecting vulnerabilities and risky accounts:

Providing custom recommendations to improve overall security posture by highlighting vulnerabilities

Calculating sign-in risk levels

Calculating user risk levels

Investigating risk events:

Sending notifications for risk events

Investigating risk events using relevant and contextual information

Providing basic workflows to track investigations

Providing easy access to remediation actions such as password reset

Risk-based conditional access policies:

Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges.

Policy to block or secure risky user accounts

Policy to require users to register for multi-factor authentication

Azure Active Directory Identity Protection detect and report following as vulnerabilities,

User logins without Multi-Factor Authentication

Use of unmanaged cloud apps – These are the applications which is not managed using Azure Active Directory. 

Risk events detect by Azure Privileged Identity Management – This is another additional service which can use to manage and monitor privileged accounts associated with Azure Active Directory, Office 365, EMS etc.

More info about these events can find on here 

Azure Active Directory Identity Protection also reports about Risk events. These are Azure Active Directory based events. These also use to create policies in Azure Active Directory Identity Protection. It detects six types of risk events. 
 
Users with leaked credentials
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-ins from unfamiliar locations
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
 
More information about Azure risk events can find here 
 
Let’s see how we start using Azure Active Directory Identity Protection. Before we start we need to have following, 
 
1) Azure Active Directory Premium P2 Subscription
2) Global Administrator account  
 
Once you have above, log in to Azure as Global Administrator.
 
1) Go to New | then type Azure AD Identity Protection 
 
aip2
 
2) On Azure AD Identity Protection page click on Create
 
aip3
 
3) Then it loads up a new page with Azure Directory details and feature details. Click on Create again to proceed. 
 
aip4
 
4) Once it is done, go on and search for Azure AD Identity Protection under more services. Then it will show the dashboard for the feature. 
 
aip5
 
5) In my demo environment, it is immediately detect that I have 257 user accounts without MFA. 
 
aip6
 
6) The beauty of this is, once it detects a problem it guides you to address the issue. If I double click on the MFA alert, I gets the Multi-factor authentication registration policy settings page, where I can enforce users to use MFA. 
 
aip7
 
Under the user assignment, I can force it for all users or group of users. 
 
aip8
 
Under the controls, by default it selected the Require Azure MFA registration option. 
 
aip9
 
Under the Review option we can evaluate the impact. 
 
aip10
 
Once configuration is done, we can enforce the policy using Enforce Policy option. 
 
aip11
 
7) Using Sign-in risk policy, we can define actions system need to take in an event it detects sing-in risk from user. In order to define policy settings, click on Sign-in risk policy in Azure AD Identity Protection Dashboard
 
aip12
 
8) Then it loads up the policy configuration page. 
 
aip13
 
Under the Assignments we can decide which users this policy applies to. It can be either All users or group of users. we also can exclude users from the selection. 
 
aip14
 
Under the Conditions, we can select the level of sing-in risk events need to consider in the policy. there are three options to select with which is low and above, medium and above or High.
 
aip15
 
Under the Access option we can define what system should do once it detect risk events. It can either block access completely or allow access with additional security conditions such as Require multi-factor authentication.
 
aip16
 
Using Review option we can see what kind of impact policy will make ( if there are any existing risk events). 
 
Once all these done, use Enforce Policy option to enforce it. 
 
aip17
 
9) In similar way using User risk policy we can define policy settings to handle risky users. 
 
10) We also can configure Azure AD Identity Protection to send alerts when it detects an event. To do that go to Alerts option in Azure AD Identity Protection Dashboard
 
aip18
 
In configuration page, we can define the lowest alert level that need to consider. So, any event equal to that level or above will send out as alert to the selected recipients. 
 
aip19
 
11) Azure AD Identity Protection also can send automated weekly email report with events it detected. In order to configure it go to Weekly Digest option in Azure AD Identity Protection Dashboard
 
aip20
 
In configuration page, we can select which recipients it should goes to. 
 
aip21
 
In this article, I explained what is Azure AD Identity Protection and how we can use it to protect cloud identities. Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com