Azure AD Identity protection: Help Guard Your Identity

By Ashwin Venugopal -

 




Azure AD Identity Protection

Identity Protection allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis. Risk detection in Azure AD Identity Protection include identifying any suspicious actions in the directory. The signals generated can also be fed into tools like Conditional Access to make access decisions, or back to the Security Information and Event Management (SIEM) tool for further investigation on the basis of your organization's enforced policies.

Identity Protection provides easy access of powerful resources to your organization so that they can instantly respond to suspicious activities.

Identity Protection Policies

Azure Active Directory Identity Protection includes three default policies that can be chosen to enable, they are:

Azure MFA registration policy-

By enabling this policy you can ensure the MFA registration of new users in your organization on their first day. Multi-factor authentication is one of the self-remediation methods for risk events that allows users to act on their own to reduce helpdesk call volume.

Sign-in risk policy

Identity Protection is capable of analyzing signals from each sign-in on both real-time as well as offline, and calculates the risk score based on the probability that the sign-in is not performed by the user. Administrators are free to choose whether they want to block access or allow access which also require multi-factor authentication. On the occasion of risk detection user can apply multi-factor authentication to self-remediate and shut down the risky sign-in event preventing unnecessary noise for administrators.

Custom Conditional Access policy

Users can choose to create a custom Conditional Access policy including sign-in risk as an assignment condition.

Risk Events

Discovering compromised identities can be very challenging but Azure Active Directory can easily detect suspicious actions related to your users accounts with the help of its adaptive machine learning algorithms and heuristics. Each detected suspicious action is stored in a record called a risk detection and there are two places where you can review the reported risk detection:

  1. Azure AD reporting- Risk detection is an integral part of Azure AD's security reports.
  2. Azure AD Identity Protection- Risk detection is also a part of the reporting capabilities of Azure AD identity Protection.   

Azure Active Directory can detect following six types of risk detection:
  • Users with leaked credentials- Whenever a legitimate user's valid password is compromised by cyber-criminals, they often share those credentials.
  • Sign-ins from anonymous IP addresses- This one can identify users who have successfully signed in from an anonymous proxy IP address.
  • Impossible travel to atypical locations-  This type of risk detection can easily identify two sign ins originating from geographically remote locations, where at least one of them does not match with the user's past behavior.
  • Sign-ins from infected devices- Sign ins from devices infected with malware can be identified in this type of risk detection.
  • Sign-in from an unfamiliar location- This detection type considers past sign-in locations (IP, latitude/longitude, ASN) to determine new/unfamiliar locations.
  • Sign-ins from IP addresses with suspicious activity- It can easily identify the particular IP address from which a high number of failed sign-in attempts were made over a short period of time.
All-in-all Azure Active Directory's risk detection services are more than enough to provide the best protection from cyber attacks flawlessly. But you can always opt for manually addressing the threats or implement automated responses by configuring Conditional Access policies.

User Risk Policy

Identity protection calculates what it believes is normal for a user's behavior and use that to base decisions for their risk. User Risk policy applies to user sign-ins, automatic response based on a specific user's risk level, providing the condition (risk level) as well as action (block or allow), use of high threshold during policy roll out, and low threshold for greater security.

Sign-in Risk Policy

Sign-in risk can be evaluated as part of a Conditional Access policy and it supports the following conditions:

location

Organizations can very conveniently choose to include or exclude locations like the public IPv4 network information, country or region, or even the unknown areas that don't belong to a specific country or region. Administrators can choose to exclude all trusted or selected locations while selecting any location.

Client apps

Administrators can choose to include Exchange ActiveSync clients and other clients that can utilize legacy protocols. Browser includes web-based applications that use protocols like SAML, WS-Federation, OpenID Connect, or services registered as an OAuth confidential client. Mobile apps and desktop clients are commonly used in the requirement, blocking legacy authentication and web-application while allowing mobile or desktop app.

Azure AD Conditional Access

The  traditional method of  security behind a corporate firewall doesn't work anymore. The tool named Conditional Access is used by Azure Active Directory to bring signals together to make decisions. and enforce organizational policies. It is the heart of the new identity driven control plane.

Conditional Access conditions

Conditional access comes with six conditions that is user/group, cloud application, device state, location (IP range), client application, and sign-in risk. The combinations of these conditions can be used to get the exact conditional access policy needed and with the access control in-hand, you can either block access altogether, or Grant access by selecting the desired controls. You can have several options like:

  • Require MFA from Azure AD or an on-premises MFA (combined with AD FS)
  • Grant access to only trusted devices
  • Require a domain-joined device
  • Require mobile devices to use intune app protection policies        

The users and groups condition is mandatory in a Conditional Access policy. In your policy, you can either select All users or select specific users and groups.

Azure AD Access Reviews

Azure Active Directory Access reviews ensures that organizations can efficiently manage group memberships, access enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continuous access.

Why are access reviews important?

Due to the ever-growing challenges in cyber security services and convenience of leveraging the power of self-service has led to  need for better access management capabilities. Following points needed to be checked all the time:

  • As new employees join, how can you ensure that they have the right access to be productive?
  • As people move teams or leave the company, how do you ensure that their old access is removed, especially when it involves guests?
  • Excessive access rights may lead to audit findings and compromises as they indicate a lack of control over access.
  • You must proactively engage with resource owners to ensure they regularly review who has access to their resources. 

Use access reviews in the following cases

  • Too many users in privileged roles- Things like how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task needed to be checked on timely basis.

  • When automation in infeasible- Rules can be created for dynamic membership on security groups or Microsoft 365 Groups, but if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement, then you can create a review on that group to ensure those who still need access should have continuous access.

  • When a group is used for a new purpose- If your group is going to be synced with Azure AD or if you plan to enable a sales management application for everyone in the sales team group, it would be helpful to ask the group owner to review the group membership prior to the group being used in a different risk content.

  • Business critical data access- It might be required for certain resources to ask the people outside of IT to regularly sign-out and give a justification on why they need access for auditing purposes.

  • To maintain a policy's exception list- Ideally all user should follow the access policies to secure access to your organization's resources; but sometimes there are business cases in which exceptions are required. As the IT admin you can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly.

  • Ask group owners to confirm they still need guests in their group- Employee access might be automated with some on premises IAM, but not invited guests. If a group gives access to guests to business sensitive content, then it's the group owner's responsibility to confirm that the guests still have a legitimate business need for access.

  • Have reviews recur periodically- Recurring access reviews of users can be set up at set frequencies such as weekly, monthly, quarterly, or annually, and the reviewers will be notified at start of each review. Approval or denial of the access by the reviewers with the help of smart recommendations can be done with a friendly interface.     

Azure AD premium P2 licenses are not required for users with the Global Administrator or user Administrator roles that set up access reviews, configure settings, or apply the decisions from the reviews.









 

Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more