How to Spot Suspicious Users. How to Deploy Azure’s Identity Protection.

On average, hackers launch an attack once every 39 seconds

Malicious third parties pose a huge threat to your business. However, if you opt for a modern, cloud-based platform such as Microsoft 365, then you’ll have access to a range of security mechanisms and features that can help keep your business safe. 

In this article, we’ll deep-dive into Azure Active Directory’s Identity Protection. These are policies that can help you manage identity-based risks, including unauthorized logins and stolen credentials. If a threat is detected, then Microsoft’s Identity Protection will lock the compromised account(s) automatically. 

In this article, we’ll explore two Identity Protection policies that come built into Microsoft 365. By the end of this article, you’ll know how to protect your business against sign in, and user based identity threats. We’ll also explore how you can combine these Identity Protection policies with conditional access, to create even more powerful and versatile security protocols. 

Employees acting strangely? Analyzing behavior, with user risk protection 

Most of us have predictable habits, and Microsoft 365 can learn these habits. Identity Protection can recognize when user behavior deviates from the norm, and then calculate the probability that their account has been compromised. 

Microsoft 365 can then take action based on the risk score. For example, if the risk score is high, then Identity Protection might block access to the user’s account. 

For the best results, you should give employees a way to resolve risks themselves. In terms of user risk protection, this means giving employees a way to reset their password. By enabling self-service password reset (SSPR), your employees can resolve issues without always having to wait for technical support. 

This kind of self-remediation helps to keep your employees productive, while significantly reducing the workload for your technical staff. In fact, SSPR can also reduce help desk calls by 50%, potentially saving your business $5.2 million per year.

Even if an employee manages to resolve the risk themselves, information related to this potential security issue will still be recorded to Microsoft 365. Your Microsoft 365 administrator can then investigate the event, and take further action if required. 

How to enable Azure’s user risk policy

You can activate the user risk policy in Azure Active Directory:

● Sign into the Microsoft Azure portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “Security > Identity Protection > User risk policy.”

● Select “Users.” In the subsequent popup, you can either specify who this policy should apply to (“Include”) or who should be excluded from the policy (“Exclude.”)

● Next, select “User risk.” You can now select the user risk level(s) where this policy will be enforced. This requires balancing risk against the negative impact these policies can have on productivity. For user risk protection, Microsoft recommends that you set the risk level to “High.”

● Make your selection, and then click “Done.” 

● Towards the left side of the screen, select “Access.” 

● In the subsequent panel, select the controls that you want to enforce. Microsoft recommends that you use “Allow access: Require password change.” This gives users the option to reset their password, which can help legitimate users regain access to their account. 

● Once you’ve made your selection, click “Done.”

● Find the “Enforce policy” slider, and drag it into the “On” position. 

● Click “Save.” 

The user risk policy is now enabled, and will help protect your employees’ accounts from unauthorized access. 

User risk-based Conditional Access

Alternatively, you can enforce Identity Protection, via Conditional Access. 

Conditional Access policies are typically an “if-then” statement, for example “if the user wants to access their Office 365 account, then they’ll need to complete X action.” By adding user risk as a parameter of your conditional access policy, you get more control over how this Identity Protection policy is enforced. 

In this section, we’ll show you how to add user risk to a simple conditional access policy. You can then customize and expand this conditional access policy, to include your own rules and restrictions.

● Sign into the Microsoft Azure portal

● In the left-hand menu, select “Security > Conditional Access.” 

● Select “New policy.” 

● Give your policy a descriptive name. 

● Select “Users and groups.” 

● Specify who this policy should apply to, using the “Include / Exclude” tabs.

● Towards the left-hand side of the screen, select “Cloud apps or actions.”

● Select “Include > All cloud apps.” 

● Towards the left-hand side of the screen, select “Conditions.” 

● Select “User risk.” 

● In the subsequent panel, drag the “Configure” slider into the “Yes” position.

● You can now choose the user risk level required for this policy to be enforced. Unless you have a specific reason not to, it’s recommended that you opt for “High.” Click “Done.” 

● Implement any other rules and regulations that you want to include in this policy.

● When you’re ready to activate this policy, find the following slider: “Enable policy.” Drag it into the “On” position. 

● Click “Create.”

This Conditional Access policy is now live, and will add a valuable extra layer of security to your user accounts.

Sign in risk policy: Is the user really who they say they are?

Every time a user signs into their account, Identity Protection can analyze the event in real-time. It then calculates a risk score based on the probability that the sign in wasn’t performed by the identity’s owner. 

The sign in risk policy will then take action, based on the risk score: allow access, block access, or allow access but require the user to complete Multi-Factor Authentication (MFA). 

With MFA, legitimate users can verify their identity without having to involve a third party, such as your Microsoft 365 administrator. This can help you avoid locking legitimate users out of their account, with no way to complete their work until the issue is resolved by your admin. 

MFA is a powerful security mechanism that can protect your business against 99.9% of security breaches. Even if you don’t plan to use MFA in your Identity Protection, we’d still recommend enabling MFA across your organization. Alternatively, you can enable the combined registration experience, which allows users to register for both MFA and SSPR simultaneously. 

In the following section, we’ll show you how to enable the sign in risk policy. As part of this policy, we’ll also give employees the ability to authenticate their identity, using MFA. 

● Sign into the Microsoft Azure portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “Security > Identity Protection > Sign-in risk policy.”

● Select “Users.” You can now use the “Include” and “Exclude” tabs to specify who this policy should apply to. To ensure you don’t lose access to your Microsoft 365 installation, we’d recommend excluding your break glass accounts from the sign in risk policy. 

● Next, select “Sign-in risk.” You can then choose the risk level where this policy will be enforced. Microsoft recommends that you opt for “High.” Select “Done.” 

● Select “Access.” You can now choose the controls that should be enforced. To give your employees the option to prove their identity, select “Allow access: Require multi-factor authentication.” 

● Click “Done.” 

● Find the “Enforce policy” slider, and drag it into the “On” position. 

● Click “Save.” 

This policy is now live, and will help protect your business against unauthorized sign ins.

How to create a sign-in Conditional Access policy 

Another option is to create a conditional access policy and include sign in risk as an assignment condition. The sign in risk will then be evaluated as part of your conditional access policy. 

Let’s create a barebones conditional access policy, and add sign-in risk as a condition. Once again, you can customize this conditional access policy with your own rules, as required. 

● Sign into the Microsoft Azure portal. 

● In the left-hand menu, select “Security > Conditional Access.” 

● Select “New policy.” 

● Give your policy a descriptive name. 

● Select “Users and groups.” 

● Specify who this policy should apply to, using the “Include / Exclude” tabs. ● Towards the left-hand side of the screen, select “Cloud apps or actions.” ● Select “Include > All cloud apps.” 

● Towards the left-hand side of the screen, select “Conditions.” 

● Select “Sign-in risk.” 

● Drag the “Configure” slider into the “Yes” position.

● You can now choose the risk level that should be associated with this policy. Microsoft recommends that you select “High.” 

● Towards the left-hand side of the screen, select “Access Controls: Grant.” ● In the subsequent panel, select “Grant access.” 

● Regardless of how you’re using sign in risk, it’s recommended that you enable MFA. Unless you have a specific reason not to, select “Require multi-factor authentication.” ● Save your changes, by clicking “Select.” 

● Implement any other rules and regulations that you want to include in this policy. ● When you’re ready to activate your policy, find the following slider: “Enable policy.” Drag it into the “On” position. 

● Click “Create.” 

This Conditional Access policy is now live. 

How else can I protect my business?

As a modern, security-conscious platform, Microsoft 365 has a wide range of advanced security features that you can deploy across your organization. If you’re concerned about a malicious third party gaining access to your confidential corporate data, then check out some of our other tutorials: 

● How to enable FIDO2 passwordless authentication. Even the most complicated password is useless against certain common password-based attacks – so is it time to say goodbye to passwords? 

● How to enable Role Based Access Control. According to security specialists Centrify, 66% of companies have been breached five times or more, and 74% of these breaches involved access to a privileged account. Find out how to protect your business with an RBAC model.

Boost your security by 99.9%. Password reuse was implicated in 80% of 2019’s hacking-related breaches. We share four tips for preventing password reuse.

Share this article on social media

If you found this article useful, please share it on social media. 

Subscribe to our blog…

We will only use your email to send you new blog posts.