What is Identity Protection?
Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure Active Directory, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses trillions of signals per day to identify and protect customers from threats. Identity Protection allows organizations to accomplish three key tasks:
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to other tools.
The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation.
Why is automation important?
In the blog post Cyber Signals: Defending against cyber threats with the latest research, insights, and trends dated February 3, 2022 we shared a threat intelligence brief including the following statistics:
- Analyzed ...24 trillion security signals combined with intelligence we track by monitoring more than 40 nation-state groups and over 140 threat groups...
- ...From January 2021 through December 2021, we’ve blocked more than 25.6 billion Azure AD brute force authentication attacks...
The sheer scale of signals and attacks requires some level of automation to be able to keep up.
Identity Protection detects risks of many types, including:
- Anonymous IP address use
- Atypical travel
- Malware linked IP address
- Unfamiliar sign-in properties
- Leaked credentials
- Password spray
- and more...
The risk signals can trigger remediation efforts such as requiring: perform multifactor authentication, reset their password using self-service password reset, or block access until an administrator takes action.
More detail on these and other risks including how or when they're calculated can be found in the article, What is risk.
Administrators can review detections and take manual action on them if needed. There are three key reports that administrators use for investigations in Identity Protection:
- Risky users
- Risky sign-ins
- Risk detections
More information can be found in the article, How To: Investigate risk.
Identity Protection categorizes risk into tiers: low, medium, and high.
Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
Make further use of risk information
Data from Identity Protection can be exported to other tools for archive and further investigation and correlation. The Microsoft Graph based APIs allow organizations to collect this data for further processing in a tool such as their SIEM. Information about how to access the Identity Protection API can be found in the article, Get started with Azure Active Directory Identity Protection and Microsoft Graph
Information about integrating Identity Protection information with Microsoft Sentinel can be found in the article, Connect data from Azure AD Identity Protection.
Organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD. They can choose to send data to a Log Analytics workspace, archive data to a storage account, stream data to Event Hubs, or send data to a partner solution. Detailed information about how to do so can be found in the article, How To: Export risk data.
Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access.
|Role||Can do||Can't do|
|Global Administrator||Full access to Identity Protection|
|Security Administrator||Full access to Identity Protection||Reset password for a user|
|Security Operator||View all Identity Protection reports and Overview
Dismiss user risk, confirm safe sign-in, confirm compromise
|Configure or change policies
Reset password for a user
|Security Reader||View all Identity Protection reports and Overview||Configure or change policies
Reset password for a user
Give feedback on detections
|Global Reader||Read-only access to Identity Protection|
Currently, the Security Operator role can't access the Risky sign-ins report.
Conditional Access administrators can create policies that factor in user or sign-in risk as a condition. Find more information in the article Conditional Access: Conditions.
Using this feature requires Azure AD Premium P2 licenses. To find the right license for your requirements, see Compare generally available features of Azure AD.
|Capability||Details||Azure AD Free / Microsoft 365 Apps||Azure AD Premium P1||Azure AD Premium P2|
|Risk policies||Sign-in and user risk policies (via Identity Protection or Conditional Access)||No||No||Yes|
|Security reports||Risky users||Limited Information. Only users with medium and high risk are shown. No details drawer or risk history.||Limited Information. Only users with medium and high risk are shown. No details drawer or risk history.||Full access|
|Security reports||Risky sign-ins||Limited Information. No risk detail or risk level is shown.||Limited Information. No risk detail or risk level is shown.||Full access|
|Security reports||Risk detections||No||Limited Information. No details drawer.||Full access|
|Notifications||Users at risk detected alerts||No||No||Yes|
|MFA registration policy||No||No||Yes|
More information on these rich reports can be found in the article, How To: Investigate risk.