First look: Azure AD Identity Protection
Today the preview of Azure AD Identity Protection is available. I just wanted to share my very first experiences on how you add this to your Azure Portal and how the experience using this is at first sight.
Adding Azure AD Identity Protection to your Azure Portal
First you have to log in on https://portal.azure.com with your azure admin account. And go into Azure Marketplace. If you browse to the Securiy and Identity you will not find it yet so we have to search for it.
You click on the + New “button” in the portal and type in Azure AD Identity Protection and do a search, the result should be like this:
Then you click on Azure AD Identity Protection from the result section
On this next slide coming up you just click on Create. This will add AAD Identity Protection you your portal.
Now if you have several directories in your tenant you need to choose which directory you should enable this on. I have only one directory so I am not able to a any choice here besides pin to dashboard at the bottom of this slide.
Now the AAD Identity Protection is enabled on your directory and are showing you current status (default is Last 7 days but you can change the view to last 30 or 90 days if you want)
When you go click on settings it will open a new slide and give you the possible configurations available. The first option is on weather you should sent weekly notification emails to your admins or not. Pretty straight forward and you can exlude admins from the newsletter if you want.
The next option is around Multi-Factor authentication. This helps you control deployment of Multi-Factor in your organization. If you apply this policy you will require users in your organization to register for MFA. You can choose a number of days the users may skip setting up MFA information (ex. Authentication Phone Number) and you can choose for which users you include or exclude from this policy.
Now over to risk policy settings.
Security Policies
User Risk
A user risk level is an indication (High, Medium, or Low) of the likelihood that the user’s identity has been compromised. It is calculated based on the user risk events that are associated with an identity.
The policy allow you to define levels on where you want to enforce MFA on next login or blocking logins. Also here you can define a scope of users and you can review impact if you have current risks in your enviroment.
Sign-In Risk
A sign-in risk security policy is a conditional access policy that evaluates the risk level to a specific sign-in and applies mitigations based on predefined conditions and rules.
You have the same kind of options here on scope and risk levels around when to do what.
More information around setup, user experiences and how to mitigate risk can be found here https://azure.microsoft.com/en-us/documentation/articles/active-directory-identityprotection/ I really recommend you to read this article before you configure polices and setup in your enviroment.
Managing risks
You will find detailed information regarding risks by going into the console and find the user at risk by clicking on the dasboard.
Then you can see what the risk is about and you can click on the 3 dots on the right to mark the alert as resolved, false positive or you can choose to ignore it.
It is recommended that you deploy risk policies so that compromized account can be automaticly mitigated by the policy. If the user is tagged as compromized the user will go into Compromised Account Recovery Flow with forced MFA and forced change of password.
This is just about my first look at Azure AD Identity Protection so again, I recommend you to read the documentation from Microsoft on this who can be found here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-identityprotection
Filed under: Azure MFA, AzureAD, AzureAD Identity, Cloud, Security Tagged: AzureAD, Cloud, Identity, Lumagate, Microsoft, Protection, Security