What is Azure AD Identity Protection?

Identity Protection can automatically detect and remediate identity-based risks. It is a tool provided as a feature of Azure Active Directory (AD) available with the paid Premium edition, license P2.

Microsoft supplies this tool with learnings acquired from Azure AD and Microsoft Accounts. Microsoft analyses over 6 trillion signals every day to identify and protect against threats. These signals are fed into Identity Protection to help it identify anomalous access.

Identity Protection also helps you visualize data to better investigate risks. You can view risk detection data through the portal or export it for further analysis by information and event management (SIEM) solutions.

Related content: Read our guide to Azure AD Premium (coming soon)

In this article:

• Identity Protection Policies
  • Azure AD MFA Registration Policy
  • Sign-in Risk Policy
  • User Risk Policy
• Exporting Risk Data
• Azure Identity Management Best Practices
  • Centralize Your Identity Management
  • Enable Single Sign-On (SSO)
  • Deploy Password Management
  • Enforce Multi-Factor Authentication (MFA)
  • Use Role-Based Access Control (RBAC)
• Azure AD Identity Protection with Pathlock

Identity Protection Policies

Azure AD Identity Protection has three default policies. Administrators can enable these policies, which include limited customization but are widely applicable. Each policy provides you with the ability to exclude users such as your break-glass or emergency access administrator accounts.

Image Source: Microsoft

Here are the three default policies:

Azure AD MFA Registration Policy

Azure AD Identity Protection helps organizations implement Azure AD multi-factor authentication (MFA) using a conditional access policy, requiring users to sign in at registration. This policy ensures new users register for MFA as soon as they start work.

Multi-factor authentication is a self-remediation method, assisting with risk events within Identity Protection. Users use self-remediation to take action by themselves, reducing the volume of helpdesk calls made, thus alleviating the strain on cybersecurity employees.

Sign-In Risk Policy

The Identity Protection tool studies signals from every sign-in, both offline and in real-time, and calculates a risk score indicating how likely it is that the sign-in did not originate from a legitimate user.

Depending on the risk score, administrators can enforce organizational requirements. Administrators can permit access, block access, or permit access with multi-factor authentication.

Users can carry out multi-factor authentication to self-remediate if the administrator identifies a risk. This approach closes the risky sign-in event and prevents unnecessary noise for administrators.

Custom conditional access policy

Administrators may establish a custom conditional access policy, for example, with the level of sign-in risk as a condition.

Image Source: Microsoft

User Risk Policy

Identity Protection can identify what is normal for a user’s behavior, using this when making decisions about their risk. User risk is a sum of the probability that a cybercriminal has compromised an identity.

Administrators can use this risk score signal when enforcing organizational procedures. They can block access, permit access, or permit access but demand a password change via Azure AD self-service password reset.

Users can carry out self-service password reset to self-remediate if the Identity Protection tool detects risk. This process closes the user risk event and stops unnecessary noise reaching the administrators.

Exporting Risk Data

In Azure AD Identity Protection, risk detections include any discovered suspicious activity linked to user accounts within the directory. Identity Protection has three tiers of risk: low, medium, and high.

Exploiting data from Identity Protection tools

Export data from Identity Protection tools for archiving and further correlation and investigation. Microsoft’s Graph-based APIs permit organizations to gather this data for processing using a tool such as a SIEM.

There are additional ways you can leverage Azure AD Identity Protection data:

• Archive data to a storage account.
• Alter diagnostic settings in Azure AD to send UserRiskEvents and RiskyUsers data to a Log Analytics workspace.
• Stream data to an Event Hub.
• Send data to a partner solution.

Azure Identity Management Best Practices

Follow these best practices to make more effective use of Azure AD Identity Protection and reduce identity risk.

Centralize Your Identity Management

It is a good idea to ensure the organization a consistent way to manage identities for both on-premises and cloud resources. This can help you easily support hybrid deployments. There are two ways to achieve central identity management:

• Synchronize the on-premises directory service with the cloud directory using Azure AD Connect
• Federate the on-premises identity with the cloud directory using Active Directory Federation Services (AD FS)

Synchronizing on-prem and cloud identity management can reduce administrative overhead and minimize manual directory synchronization. This will, in turn, prevent human error and improve security.

Enable Single Sign-On (SSO)

SSO provides convenience for users by allowing them to sign in to any enterprise service with one set of credentials. Azure AD provides SSO capability that lets you control access to SaaS applications (whether provided by Microsoft or other vendors) based on the user’s Azure AD account. This requires configuring the application to use Azure AD as its identity provider via the SAML protocol.

SSO can have an important contribution to security. When users have only one set of credentials, you can more easily enforce strong passwords and multi-factor authentication (MFA) and avoid the tendency to reuse passwords across services.

Deploy Password Management

Password management is important to enforce secure password policies and prevent password abuse. Azure AD provides self-service password reset with custom security options. Because password reset is a critical activity that can impact user productivity, Azure also provides a Password Reset Registration Activity report, which can help you monitor how users are interacting with password management. By analyzing this report, you can mitigate problems and fine-tune your settings.

If you are managing multiple tenants, it is important to implement password management within the security boundary defined in your security policy. Specifically, each tenant’s users should be able to reset a password without leaving the isolated environment of that tenant.

Enforce Multi-Factor Authentication (MFA)

MFA is increasingly important to prevent credential theft attacks and is now mandated by multiple security standards, such as PCI DSS 3.2. Azure MFA provides managed, secure authentication for both sign-in and specific transactions.

Azure MFA can support multiple authentication factors such as passwords, text messages, and phone calls. If an attacker gets hold of the user’s credentials, they will be blocked from performing sensitive operations in the system because they will likely not have access to the additional authentication factors (such as the user’s phone).

For on-premises deployments, Azure provides the MFA Server, which you can deploy within your local data center. This lets you enable managed MFA without requiring users to connect to Azure-based resources.

Use Role-Based Access Control (RBAC)

RBAC lets you control the authorization of users for Azure resources and applications. You can define roles that assign permissions to specific users or user groups. You can set the scope of a role to enable access to an entire Azure subscription, an Azure resource group, or a specific Azure resource.

Azure provides built-in roles you can use to control access to different cloud resources. Examples of these roles include Storage Account Contributor (which only grants access to cloud storage) and Virtual Machine Contributor (which grants access to virtual machines and the associated storage accounts).

Azure AD Identity Protection with Pathlock

Pathlock is the leader in Access Orchestration for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with a tight integration between the solutions.

Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews.  With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including: 

• Coverage for the leading business applications, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more
• Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications
• Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant
• Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations

Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!