Configuring Azure AD to notify for leaked credentials ?

EnterpriseArchitect 4,721 Reputation points
2021-10-05T10:28:57.147+00:00

Hi All,

According to: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
I need to enable PHS, to be able to leverage leaked credentials notification.

How can I get the notification by email to specific address like SOC@keyman .net ?

I am using Hybrid Azure AD and OnPremise AD DS sync (Azure AD Connect) with the PHS feature enabled.
I also have ADFS 4.0 OnPremise (Windows Server 2016).

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions
0 comments
Accepted answer
  1. Andy David - MVP 141.5K Reputation points MVP
    2021-10-05T12:51:25.107+00:00
    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 141.5K Reputation points MVP
    2021-10-05T11:29:42.507+00:00

    Do you have the correct licensing?
    The way to handle this is with Identity Protection and Conditional Access policies that force a password change or block in the event an account has leaked creds:

    https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

    1 person found this answer helpful.
  2. Clément BETACORNE 2,031 Reputation points
    2021-10-05T15:56:47.207+00:00

    Hello,

    You can configure inside identity protection "users at risk detected alerts" as below and in this article :
    137844-image.png

    https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications

    The other option can be to use log ingestion from Azure AD to a log analytics and do some KQL to create an alert when leaked credential risk is raised

    1 person found this answer helpful.
  3. Andy David - MVP 141.5K Reputation points MVP
    2021-10-06T11:42:25.19+00:00

    Right, you dont notify the user, you force them to change their password using Conditional Access

    The notification typically goes to an admin or group that may find it useful :)

    see the picture and location of that that ClmentBETACORNE-2996 posted earlier

    1 person found this answer helpful.
    0 comments
  4. EnterpriseArchitect 4,721 Reputation points
    2021-10-06T09:46:10.113+00:00

    @Andy David - MVP & @ClmentBETACORNE-2996 I've got the setup like below:

    How to setup to notify the user with the leaked credentials and CC: Security@keyman .com ?

    Does enabling the below two options:
    Enforce policy On
    138030-image.png 138154-image.png

    and then:

    138123-image.png

    is sufficient to allow the impacted user to reset their own password via SSPR ?
    assuming the Password Write-back is enabled also.

    0 comments