- Microsoft 365 Security Administration:MS-500 Exam Guide
- Peter Rising
- 1095字
- 2021-06-18 18:57:34
Understanding Identity Protection
Azure AD Identity Protection is a feature that works on the principle of risk detection and remediation. It allows Microsoft 365 administrators to view risk events and detections in the Azure portal, and then control what happens when risks are detected. They can also configure notifications regarding alerts about risk activities and receive a weekly report via email. Identity Protection will detect and report on risk classification events based on the following categories:
- Impossible travel
- Anonymous IP addresses
- Unfamiliar sign-in behavior
- Malware- linked IP addresses
- Leaked credentials
- Azure AD threat intelligence
Whenever one of these risk classifications is matched, this will result in a remediation action being triggered, such as requiring the affected users to register for/or respond to MFA or being required to perform a password reset. If a risk is deemed significant enough, the affected user can even be blocked entirely until further notice, and administrators can review reports in the Azure AD Identity Protection dashboard to respond to and resolve matches against risky users, risky sign-ins, and risk detections.
In order to view or configure Azure AD Identity Protection, you need to be a member of one of the following groups: Security Reader, Security Operator, Global Reader, or Global Administrator.
Azure AD Identity Protection requires an Azure AD Premium P2, EM+S E5, or Microsoft 365 E5 license (for all Azure AD users who you wish to benefit from the feature) in order to take advantage of all the included policies, reports, and notifications.
With Identity Protection, you can protect users with risk policies. These are separated into the following categories:
- User risk policies
- Sign-in risk policies
It is also possible to protect your users with an MFA registration policy.
In the following sections, we will examine each of these policies in turn. So, now that we have explained the principles of Azure AD Identity Protection, let's look at how we can start to configure user risk policies and sign-in risk policies.
Configuring user risk and sign-in risk policies
User risk policies and sign-in risk policies are more or less identical in what they do. They are both capable of allowing or blocking access to Azure AD based on risk. This difference can be seen in the following screenshot in terms of the control enforcements that can be applied:
Figure 5.1 – User risk policy and Sign-in risk policy
With a user risk policy, you are able to block or allow access and require a password change, whereas with a sign-in risk policy, you are able to block or allow access and require MFA.
So, let's look at how we can configure these policies, starting with an example of a user risk policy. This will show you how a policy can be assigned to users, how conditions for the risk level can be applied, and whether or not the policy will allow the user to proceed or whether they should be blocked. Follow these steps:
- Log in to the Azure portal (with the appropriate access, as described previously) at https://portal.azure.com. Search for Azure Identity Protection and select it. You will be taken to the following screen:
Figure 5.2 – Identity Protection - Overview
- Under the Protect option, select User risk policy:
Figure 5.3 – Protect options
- You will now see the following options for configuring the policy:
Figure 5.4 – Policy settings
- Under Users, you can choose to include All Users, or select chosen users or groups. It is also possible to exclude specific users:
Figure 5.5 – Including or excluding users
- Make your required selections and click Done.
- Next, under Conditions, you have the option to Select a risk level that will be applied to the User risk policy. In the following screenshot, I have chosen Medium and above:
Figure 5.6 – Conditions risk level
Important note
Make sure that you choose an acceptable risk level when making these selections. It is important to plan for a balance between user experience and security. It is Microsoft's recommendation to set the user risk policy to High and the sign-in risk policy to Medium or higher.
- Click Select and then Done to accept your settings.
- Now, we need to select Controls and then Access so that we can choose whether we are going to allow or block access when this risk policy generates a match. We can also force the user to complete a password reset here:
Figure 5.7 – Access options
- Click Select to confirm your settings. Then, set the Enforce Policy option to On and click Save to commit your choices to the user risk policy:
Figure 5.8 – Enforce Policy settings
Important note
When applying a risk policy to All Users, be careful not to get locked out of your own account. Always have a break glass account that you specifically exclude from the policy to ensure you can continue to gain access. A break glass account is an emergency account that will only ever be used to regain access to your Microsoft 365 environment should you inadvertently become locked out.
With that, we have configured a user risk policy. Should you wish to configure a Sign-in risk policy, the process is exactly the same, with the exception of the sign-in risk access controls, which enable you to choose to Require multi-factor authentication alongside blocking or allowing access:
Figure 5.9 – Access settings
Once you have your user and sign-in risk policies configured, they will start working to automate responses based on your risk detection settings. Some further considerations when enabling these policies are as follows:
- If you wish your users to be able to respond to Identity Protection requirements such as enforcing MFA and password changes, ensure that you enable your users for MFA and self-service password reset (as described in Chapter 2, Authentication and Security).
- When configuring acceptable risk levels, be aware of the possible effects on your users. For example, a high threshold will minimize the number of times a risk policy is triggered. However, this will also prevent low and medium risk detections, which could lead to malicious actors being able to exploit a compromised identity within your environment.
So, now you are familiar with the best practices for configuring user risk and sign-in risk policies. We showed you how to create these policies, assign them to your users, and exclude them from certain users, along with how to set the required risk level for the policy and what actions should be taken if there is a policy match. Next, we will look at how to configure MFA registration policies with Azure AD Identity Protection.