Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect

Microsoft Entra ID Protection

   October 29, 2024

Microsoft Entra ID Protection (formerly known as Azure AD Identity Protection) is a suite of tools within Microsoft Entra ID designed to detect, respond to, and protect against identity-related security risks. By analyzing sign-ins and user behavior patterns, Entra ID Protection helps organizations identify and mitigate potential security threats, such as compromised accounts or unusual login activity.

This guide covers Entra ID Protection in detail, including its features, how it works, and a step-by-step tutorial for creating, configuring, and managing it. It also includes practical examples to help beginners understand its usage.

Key Concepts of Microsoft Entra ID Protection

  1. Risk Detection: Entra ID Protection uses machine learning to identify and flag risky behaviors, such as sign-ins from unusual locations or unfamiliar devices. Risk events are categorized as either User Risk or Sign-in Risk:
  • User Risk: The likelihood that a user account is compromised (e.g., based on repeated failed login attempts).
  • Sign-in Risk: The likelihood that a specific login attempt is suspicious or compromised (e.g., a login from a foreign country).
  1. Risk-Based Policies: Entra ID Protection allows you to set automated responses based on the level of risk detected. These policies can require actions like Multi-Factor Authentication (MFA) or password resets when a risk is detected.
  2. Continuous Monitoring: Entra ID Protection constantly monitors and assesses risk levels across user accounts and sign-ins, generating alerts for potential threats.
  3. Reports and Insights: Entra ID Protection provides detailed reports, showing trends, risky users, risky sign-ins, and detection of malicious activity. Admins can use these reports to track and respond to potential threats.

Key Features of Microsoft Entra ID Protection

  1. User Risk Policy: Allows you to automatically respond to user risk by enforcing policies, such as requiring users to reset their passwords if their account is flagged as at risk.
  2. Sign-In Risk Policy: Automatically applies specific actions based on the risk level of a sign-in, like prompting for MFA if a sign-in appears suspicious.
  3. Risk Detection and Scoring: Evaluates each user and sign-in activity, assigning risk levels (e.g., Low, Medium, High) based on factors like unfamiliar locations, impossible travel times, or sign-in from a known breached account.
  4. Reports: Entra ID Protection includes risk reports, such as Risky Users, Risky Sign-ins, and Vulnerability Reports, to help admins monitor and respond to suspicious activity.

Step-by-Step Guide to Setting Up Microsoft Entra ID Protection

Prerequisites

  1. Microsoft Entra ID Premium P2 License: Entra ID Protection requires a Premium P2 license, which includes identity protection and other advanced security features.
  2. Entra ID Admin Access: You need admin permissions to configure Entra ID Protection policies and view risk reports.

Step 1: Accessing Entra ID Protection

  1. Sign in to the Azure Portal at https://portal.azure.com.
  2. In the left-hand menu, select Microsoft Entra ID.
  3. Navigate to Protect & Secure > Identity Protection.

Step 2: Configuring User Risk Policy

The User Risk Policy detects the probability that a user’s account is compromised. Based on the detected risk, the policy can require users to complete additional actions, like a password reset.

  1. In the Identity Protection section, click on User risk policy.
  2. Click + Create policy or Edit if there’s an existing policy.
  3. Configure the policy settings:
  • Assignments:
    • Users: Specify which users the policy applies to (e.g., All users, selected groups).
  • Conditions:
    • User Risk Level: Select the risk level that triggers the policy. Options include Low and above, Medium and above, or High.
  • Access:
    • Grant Access: Choose Require password change to enforce a password reset if a user risk is detected.
  1. Enable Policy: Once configured, toggle the Policy enabled switch to On and click Save.

Example Usage:

  • The User Risk Policy is set to Medium and above, meaning that if Entra ID Protection detects a medium or high risk for any user, that user will be prompted to change their password. This policy helps to prevent compromised accounts from being used by unauthorized parties.

Step 3: Configuring Sign-In Risk Policy

The Sign-In Risk Policy assesses the probability that a particular sign-in attempt is suspicious or risky, allowing you to enforce additional verification steps like MFA based on the level of sign-in risk.

  1. In the Identity Protection section, select Sign-in risk policy.
  2. Click + Create policy or Edit if there’s an existing policy.
  3. Configure the policy settings:
  • Assignments:
    • Users: Define the user scope (e.g., All users, specific groups).
  • Conditions:
    • Sign-In Risk Level: Select the risk level that triggers the policy: Low and above, Medium and above, or High.
  • Access:
    • Grant Access: Choose Require Multi-Factor Authentication to require MFA if a risky sign-in is detected.
  1. Enable Policy: Toggle the Policy enabled switch to On and click Save.

Example Usage:

  • The Sign-In Risk Policy is set to High, meaning that any high-risk sign-in attempt (like one from an unusual location) will require the user to complete MFA to verify their identity before gaining access.

Step 4: Configuring MFA Registration Policy

The MFA Registration Policy ensures that users register for MFA, which is a key defense against compromised accounts.

  1. In the Identity Protection section, select MFA registration policy.
  2. Click + Create policy or Edit if there’s an existing policy.
  3. Configure the policy:
  • Assignments:
    • Users: Define which users or groups this policy applies to (e.g., All users, specific departments).
  • Access:
    • Require MFA Registration: Enable this option to ensure users register for MFA.
  1. Enable Policy: Toggle the Policy enabled switch to On and click Save.

Example Usage:

  • The MFA Registration Policy applies to all employees, ensuring they have registered for MFA. This ensures users are prepared to complete MFA when it’s required by other policies, like the Sign-In Risk Policy.

Step 5: Monitoring and Managing Risk Events

Once policies are configured, Entra ID Protection provides various reports to monitor and investigate risks.

  1. Go to the Identity Protection Dashboard: In the Identity Protection section, view the following reports:
  • Risky Users: Shows users flagged as at risk. This report includes details like the risk level and risk detections for each user.
  • Risky Sign-ins: Lists sign-in attempts that were flagged as suspicious, along with details like location, IP address, and detected risk.
  • Risk Detections: Displays events that triggered risk, such as sign-ins from unfamiliar locations or login attempts from anonymous IP addresses.
  1. Investigate and Take Action:
  • Use these reports to monitor risk trends. Admins can remediate risks, reset passwords, or block accounts as needed based on findings.

Example Usage:

  • An admin notices an unusual spike in risky sign-ins from a foreign country. They investigate the Risky Sign-ins report and see that several accounts attempted to sign in from the same IP range. The admin enforces password resets for these users to protect their accounts.

Working Examples of Microsoft Entra ID Protection in Action

Example 1: Detecting and Responding to Compromised Accounts

Situation: A medium-sized company experiences a surge in phishing attacks, and IT needs to quickly identify compromised accounts.

  1. Risk Detection: Entra ID Protection identifies accounts with unusual login behavior and flags them with a high User Risk level.
  2. Automatic Action via User Risk Policy: The User Risk Policy requires any flagged accounts to change their passwords.
  3. Admin Review: The IT team reviews the Risky Users report to identify potentially compromised accounts. Accounts with high-risk sign-ins are closely monitored, and users are alerted about suspicious activity.

This setup helps IT proactively secure compromised accounts by triggering automatic password resets, minimizing the potential impact of phishing attacks.

Example 2: Securing Remote Access with Conditional MFA

Situation: A company wants to ensure secure access for remote workers, but only enforces MFA when the risk level is high (e.g., login from an unfamiliar device or location).

  1. Sign-In Risk Policy: The policy is set to trigger MFA for all sign-ins flagged as high risk, such as access from new devices or unusual locations.
  2. Sign-In Attempt: A remote employee tries to log in from a different country. The sign-in is flagged as high risk, and the user is prompted to complete MFA.
  3. Access Granted with Verification: The employee verifies their identity with MFA, ensuring secure access to company resources.

By enforcing MFA only on high-risk sign-ins, the company strikes a balance between security and user convenience.

Example 3: Enforcing MFA Registration for All Employees

Situation: An organization needs all employees to register for MFA, but some employees

have not completed registration.

  1. MFA Registration Policy: The organization sets an MFA Registration Policy for all employees, ensuring that they register their devices for MFA by a set deadline.
  2. Employee Login: An employee who hasn’t registered for MFA attempts to log in. They are prompted to complete the MFA registration process.
  3. Access Control: Once registered, the employee can access applications, and future sign-ins may require MFA based on risk policies.

This policy ensures that all employees are ready to complete MFA verification, which strengthens overall security.

Summary

Microsoft Entra ID Protection is a powerful tool within Microsoft Entra ID that helps organizations detect, prevent, and respond to identity-related security risks through advanced machine learning and risk-based policies. By combining user risk policies, sign-in risk policies, and comprehensive risk reporting, Entra ID Protection provides proactive identity protection.

Key Benefits of Entra ID Protection:

  • Enhanced Security: By identifying and responding to risky user and sign-in behavior, Entra ID Protection helps prevent unauthorized access.
  • Automated Response: Risk-based policies like automatic password resets and MFA for high-risk sign-ins streamline security responses.
  • Reduced Admin Workload: With continuous risk monitoring and user-friendly reports, admins can focus on more critical issues while Entra ID Protection handles routine risk management.

Microsoft Entra ID Protection is an essential tool for organizations adopting a Zero Trust security approach, allowing them to manage identity risks dynamically and effectively.

Share: XFacebookPinterestLinkedin
Author: tonyhughes