Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Identity Protection ====== * Identity Protection provides policies for a few common scenarios. * These policies require an AAD P2 license * //Conditional Access policies// could be used in place of Identity Protection policies to achieve similar things. It is broader in scope, but includes capabilities that overlap with Identity Protection. * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies]] * These are under ''Azure AD/Manage/Security/Identity Protection/Protect'' and include these: * **Azure AD MFA registration policy** - requires users to register for MFA * **Sign-in risk policy** - a risk score is calculated to indicate the likelihood that a sign-in was not performed by the user. Based on this score administrators can choose to block access, allow access or allow access but require multi-factor authentication. * **User risk policy** - a risk score is calculate to indicate the likelihood that a user account has been compromised. Based on this score administrators can choose to block access, allow access or allow access but require a password change. * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection]] Identity Protection is a tool that allows organizations to accomplish three key tasks: * Automate the detection and remediation of identity-based risks. * Investigate risks using data in the portal. * Export risk detection data to third-party utilities for further analysis. * Requires an AAD P2 license AAD has three Identity Protection policies by default: * MFA authentication registration policy * User risk remediation policy * Sign-in risk policy > The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization's enforced policies. > The risk signals can trigger remediation efforts such as requiring users to: perform Azure AD Multi-Factor Authentication, reset their password using self-service password reset, or blocking until an administrator takes action. * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#permissions|Role permissions]] for Identity Protection * Only **Global Administrators** can onboard Identity Protection ===== User Risk Policy ===== * User risk is a calculation of probability that an identity has been compromised. * Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset * [[https://docs.microsoft.com/en-us/learn/modules/azure-ad-identity-protection/4-user-risk-policy]] ===== Sign-in Risk Policy ===== * Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. * Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't performed by the user. Administrators can decide based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication. * Sign-in risk is about a particular sign-in event, whereas user risk is about multiple factors, including anomalous sign-ins. * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk]] ===== Azure MFA Registration Policy ===== * As a best practice it is recommended to require MFA and this policy does that. * MFA **Enabled** = The admin has enabled MFA on the account, but the user hasn't set it up. * MFA **Enforced** = The user has completed the setup of their MFA. * [[https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states]] ===== Risk Events ===== AAD detects the following types of risks. The P2 license gives the most detail info, while the P1 license doesn't include all the details. * Users with leaked credentials * Sign-ins from anonymous IP addresses * Impossible travel to atypical locations * Sign-ins from infected devices * Sign-in from unfamiliar locations * Sign-ins from IP addresses with suspicious activity azure/az-500/alt/identity_protection.txt Last modified: 2022/08/07 21:54by mmuze