Introduction
Have you or an employee in the company you work for ever been victim of a SPAM mail?
- If not, then you’ve been lucky
- If yes, I hope that you have already had your Microsoft policies under control or have revised them after the incident.
In this blog post, we will go into more detail on how you can better protect Entra ID users with a few simple steps. Today we refer to Microsoft Entra ID Protection, in my opinion one of the most important points of end-user security to be reasonably resilient in the fight against malicious attacks.
Prerequisite
One of the following licences is required to use the feature. The higher the licence, the more features are included:
- Microsoft Entra ID Free
- Microsoft Entra ID P1
- Microsoft Entra ID P2
Essentially, it can be said that in the free version (Microsoft Entra ID Free) the most necessary parameters are checked by Microsoft without much logic behind it.
In the Premium P1 or P2 licences, more analysis parameters are included and can also be displayed in the respective dashboards.
A list of the functionalities and parameters included in the respective licences can be found here: Features Entra ID Protection
Risk types
With Microsoft Entra ID Protection, a distinction must be made between the following two risk types:
Sign-In Risk
Microsoft Identity Protection’s Sign-In Risk is a feature that uses machine learning algorithms to detect suspicious actions related to a user’s sign-in activity. It evaluates each sign-in attempt and assigns a risk level of low, medium, high, or none.
Here are some examples of risky sign-in behaviors:
- Impossible travel
This occurs when two sign-ins from the same user occur from geographically distant locations within a time frame that suggests the user couldn’t have traveled from the first location to the second. - Sign-ins from unfamiliar locations
These are sign-ins from locations that aren’t typical for the user. - Sign-ins from infected devices
These are sign-ins from devices that have been identified as being infected with malware.
- Sign-ins from IP addresses with suspicious activity
These are sign-ins from IP addresses that have a high number of failed sign-in attempts across multiple accounts over a short period of time.
- Sign-ins from anonymous IP addresses
These are sign-ins from IP addresses that have a high number of failed sign-in attempts across multiple accounts over a short period of time.
User Risk
User Risk in Microsoft Identity Protection is a feature that identifies and processes risks at the user level. It uses machine learning, heuristics, and anomaly detection algorithms to detect suspicious activities.
User Risk assigns a risk level of low, medium, high, or none to each user based on their behavior over time. The risk level is calculated based on a variety of factors, including:
- Risky sign-in behavior
This includes sign-ins from unfamiliar locations or infected devices, among other things. - Leaked credentials
If a user’s credentials are found in the dark web, this could indicate that they have been compromised. - Activity patterns
Unusual activity, such as sending a large number of emails in a short period of time, can also contribute to the user risk level.
Risk-based access control policies
For the two risk types mentioned above, administrators have the option of creating risk-based access control policies and applying them to their Microsoft Entra tenant. The policies described in more detail below are part of the so-called Conditional Access Policies (CAP), which are available from Microsoft Entra ID Premium P1 licence onwards.
These two policies originate from the base line policy of our demo tenants Handel-Falken AG.
In a separate blog post, we will go into more detail about the demo tenant’s base line CAPs.
For the user risk policy, we have deliberately opted for a self-remediation variant with a request to change the password. If an Entra Connect is in use, SSPR (Self-Service Password Reset) and passwort writeback is required in this configuration.
Sign-In risk policy
| Users | Include: All Users Exclude: {BreakGlass Accounts} |
| Target resources | All cloud apps |
| Conditions | Sign-in risk:
|
| Grant |
|
| Session | – |
Source: Conditional Access | Policies
User risk policy
| Users | Include: All Users Exclude: {BreakGlass Accounts} |
| Target resources | All cloud apps |
| Conditions | User risk:
|
| Grant |
|
| Session | Sign-in frequency
|
Source: Conditional Access | Policies
Conclusion
Microsoft Identity Protection is a robust security tool that provides comprehensive protection for user identities. It uses advanced machine learning and heuristics to detect suspicious activities and assign risk levels to both sign-in activities and users.
Key features include:
- Sign-In Risk and User Risk
These features assign risk levels based on suspicious activities, enabling administrators to take appropriate actions such as requiring multi-factor authentication or blocking the sign-in attempt or user account. - Leaked Credentials
Microsoft Identity Protection checks if a user’s credentials have been leaked on the dark web, providing an additional layer of security. - Risk-Based Policies
Administrators can set up policies to automatically respond to risky sign-ins or users, enhancing the security of the organization’s resources. - Integration with other Microsoft services
Microsoft Identity Protection integrates seamlessly with other Microsoft services like Azure Active Directory, providing a unified and comprehensive security solution.
In conclusion, Microsoft Identity Protection is a powerful tool for organizations to protect their user identities and resources from potential security threats. It provides a proactive approach to identity security, helping organizations to detect and respond to risks in a timely manner.