Azure AD Identity protection: Help Guard Your Identity

By Ashwin Venugopal -

 




Azure AD Identity Protection

Identity Protection allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis. Risk detection in Azure AD Identity Protection include identifying any suspicious actions in the directory. The signals generated can also be fed into tools like Conditional Access to make access decisions, or back to the Security Information and Event Management (SIEM) tool for further investigation on the basis of your organization's enforced policies.

Identity Protection provides easy access of powerful resources to your organization so that they can instantly respond to suspicious activities.

Identity Protection Policies

Azure Active Directory Identity Protection includes three default policies that can be chosen to enable, they are:

Azure MFA registration policy-

By enabling this policy you can ensure the MFA registration of new users in your organization on their first day. Multi-factor authentication is one of the self-remediation methods for risk events that allows users to act on their own to reduce helpdesk call volume.

Sign-in risk policy

Identity Protection is capable of analyzing signals from each sign-in on both real-time as well as offline, and calculates the risk score based on the probability that the sign-in is not performed by the user. Administrators are free to choose whether they want to block access or allow access which also require multi-factor authentication. On the occasion of risk detection user can apply multi-factor authentication to self-remediate and shut down the risky sign-in event preventing unnecessary noise for administrators.

Custom Conditional Access policy

Users can choose to create a custom Conditional Access policy including sign-in risk as an assignment condition.

Risk Events

Discovering compromised identities can be very challenging but Azure Active Directory can easily detect suspicious actions related to your users accounts with the help of its adaptive machine learning algorithms and heuristics. Each detected suspicious action is stored in a record called a risk detection and there are two places where you can review the reported risk detection:

  1. Azure AD reporting- Risk detection is an integral part of Azure AD's security reports.
  2. Azure AD Identity Protection- Risk detection is also a part of the reporting capabilities of Azure AD identity Protection.   

Azure Active Directory can detect following six types of risk detection:
  • Users with leaked credentials- Whenever a legitimate user's valid password is compromised by cyber-criminals, they often share those credentials.
  • Sign-ins from anonymous IP addresses- This one can identify users who have successfully signed in from an anonymous proxy IP address.
  • Impossible travel to atypical locations-  This type of risk detection can easily identify two sign ins originating from geographically remote locations, where at least one of them does not match with the user's past behavior.
  • Sign-ins from infected devices- Sign ins from devices infected with malware can be identified in this type of risk detection.
  • Sign-in from an unfamiliar location- This detection type considers past sign-in locations (IP, latitude/longitude, ASN) to determine new/unfamiliar locations.
  • Sign-ins from IP addresses with suspicious activity- It can easily identify the particular IP address from which a high number of failed sign-in attempts were made over a short period of time.
All-in-all Azure Active Directory's risk detection services are more than enough to provide the best protection from cyber attacks flawlessly. But you can always opt for manually addressing the threats or implement automated responses by configuring Conditional Access policies.

User Risk Policy

Identity protection calculates what it believes is normal for a user's behavior and use that to base decisions for their risk. User Risk policy applies to user sign-ins, automatic response based on a specific user's risk level, providing the condition (risk level) as well as action (block or allow), use of high threshold during policy roll out, and low threshold for greater security.

Sign-in Risk Policy

Sign-in risk can be evaluated as part of a Conditional Access policy and it supports the following conditions:

location

Organizations can very conveniently choose to include or exclude locations like the public IPv4 network information, country or region, or even the unknown areas that don't belong to a specific country or region. Administrators can choose to exclude all trusted or selected locations while selecting any location.

Client apps

Administrators can choose to include Exchange ActiveSync clients and other clients that can utilize legacy protocols. Browser includes web-based applications that use protocols like SAML, WS-Federation, OpenID Connect, or services registered as an OAuth confidential client. Mobile apps and desktop clients are commonly used in the requirement, blocking legacy authentication and web-application while allowing mobile or desktop app.

Azure AD Conditional Access

The  traditional method of  security behind a corporate firewall doesn't work anymore. The tool named Conditional Access is used by Azure Active Directory to bring signals together to make decisions. and enforce organizational policies. It is the heart of the new identity driven control plane.

Conditional Access conditions

Conditional access comes with six conditions that is user/group, cloud application, device state, location (IP range), client application, and sign-in risk. The combinations of these conditions can be used to get the exact conditional access policy needed and with the access control in-hand, you can either block access altogether, or Grant access by selecting the desired controls. You can have several options like:

  • Require MFA from Azure AD or an on-premises MFA (combined with AD FS)
  • Grant access to only trusted devices
  • Require a domain-joined device
  • Require mobile devices to use intune app protection policies        

The users and groups condition is mandatory in a Conditional Access policy. In your policy, you can either select All users or select specific users and groups.

Azure AD Access Reviews

Azure Active Directory Access reviews ensures that organizations can efficiently manage group memberships, access enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continuous access.

Why are access reviews important?

Due to the ever-growing challenges in cyber security services and convenience of leveraging the power of self-service has led to  need for better access management capabilities. Following points needed to be checked all the time:

  • As new employees join, how can you ensure that they have the right access to be productive?
  • As people move teams or leave the company, how do you ensure that their old access is removed, especially when it involves guests?
  • Excessive access rights may lead to audit findings and compromises as they indicate a lack of control over access.
  • You must proactively engage with resource owners to ensure they regularly review who has access to their resources. 

Use access reviews in the following cases

  • Too many users in privileged roles- Things like how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task needed to be checked on timely basis.

  • When automation in infeasible- Rules can be created for dynamic membership on security groups or Microsoft 365 Groups, but if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement, then you can create a review on that group to ensure those who still need access should have continuous access.

  • When a group is used for a new purpose- If your group is going to be synced with Azure AD or if you plan to enable a sales management application for everyone in the sales team group, it would be helpful to ask the group owner to review the group membership prior to the group being used in a different risk content.

  • Business critical data access- It might be required for certain resources to ask the people outside of IT to regularly sign-out and give a justification on why they need access for auditing purposes.

  • To maintain a policy's exception list- Ideally all user should follow the access policies to secure access to your organization's resources; but sometimes there are business cases in which exceptions are required. As the IT admin you can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly.

  • Ask group owners to confirm they still need guests in their group- Employee access might be automated with some on premises IAM, but not invited guests. If a group gives access to guests to business sensitive content, then it's the group owner's responsibility to confirm that the guests still have a legitimate business need for access.

  • Have reviews recur periodically- Recurring access reviews of users can be set up at set frequencies such as weekly, monthly, quarterly, or annually, and the reviewers will be notified at start of each review. Approval or denial of the access by the reviewers with the help of smart recommendations can be done with a friendly interface.     

Azure AD premium P2 licenses are not required for users with the Global Administrator or user Administrator roles that set up access reviews, configure settings, or apply the decisions from the reviews.









 

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more