When planning an Azure AD implementation, identity is key. However, the importance of protecting identities should be given equal priority. Azure AD Identity Protection enables administrators to protect their users’ identities by detecting and recording identity-based risks so that they can be analyzed and investigated, and corrective measures can be taken.

In this chapter, you will examine the principles of Azure AD Identity Protection, how it can be used to review risky events and flagged user accounts, and how to create risk-based conditional access policies to improve security. You will learn how to use this feature within the Azure portal, identify Identity Protection roles, and conduct investigations to detect risk events and vulnerabilities within your Microsoft 365 environment.

The following topics will be covered in this chapter:

• Understanding Identity Protection
• Protecting users with risk and registration policies
...

Azure AD Identity Protection is a feature that works on the principle of risk detection and remediation. It allows administrators to view risk events and detections in the Azure portal and then control what happens when risks are detected. They can also configure notifications regarding alerts about risk activities and receive a weekly report via email. Identity Protection detects and reports on risk classification events based on the following categories:

• Impossible travel
• Anonymous IP addresses
• Unfamiliar sign-in behavior
• Malware-linked IP addresses
• Leaked credentials
• Azure AD threat intelligence
• Password spray

Whenever one of these risk classifications is matched, it results in a remediation action being triggered, such as requiring the affected users to register for/respond to MFA or to perform a password reset. If a risk is deemed significant enough, the affected user can even be blocked entirely until further...

With Identity Protection, you can protect users with risk policies. These can be separated into the following categories:

• User risk policies
• Sign-in risk policies

It is also possible to protect your users with an MFA registration policy.

Let’s examine each of these policies and take a look at how you can start to configure them.

Configuring user risk and sign-in risk policies

User risk policies and sign-in risk policies are similar in what they do. They are both capable of allowing or blocking access to Azure AD based on risk. With a user risk policy, you can block or allow access and require a password change, whereas with a sign-in risk policy, you can block or allow access and require MFA.

This difference between the two can be seen in the following screenshot in terms of the control enforcements of Require password change and Block access that can be applied:

Azure AD Identity Protection is only effective if the available alert options are correctly configured, the alerts are being diligently reviewed by administrators, and the appropriate steps are being taken where needed. Identity Protection has two notification settings that can be configured to alert administrators of risk detection within Microsoft 365: Users at risk detected alerts and Weekly digest. The following sub-sections cover these in detail.

Users at risk detected alerts

This alert can be found under the Notify section of Azure AD Identity Protection and can be used to configure an email alert that will be sent to administrators when a user at risk is detected. The benefit of this alert is that administrators receive email notifications as soon as the risk event is detected. Follow these steps to set up these alerts:

1. Click on Users at risk detected alerts to configure the relevant options:

Figure...

The Report section of Azure AD Identity Protection provides administrators the ability to review and resolve events and detections, as shown in the following screenshot:

Figure 5.23: Reports

You can carry out investigations based on what is recorded through the options and take steps to resolve any risks as well as to unblock any users who may have been blocked, provided it is safe to do so.

The following covers each of the options within the Report section in detail.

Examining users at risk

A risky user is someone whose activity has matched the risk level set in Azure AD Identity Protection. When a risk is detected, alerts are sent to administrators, as discussed earlier in this chapter. However, it is important to proactively review the list of users at risk in Azure AD Identity Protection in the Azure portal and take corrective actions.

Under Risky Users, you will see a list of the users within your tenant...

In this chapter, we examined Azure AD Identity Protection, which can be accessed from the Azure portal. We dived into how Identity Protection detects and records risky users, risky sign-ins, and risk events, and provides us with the ability to review, investigate, and remediate these events with powerful preventative measures such as blocking user access, forcing password changes, or requiring MFA.

We also understood how reports and alerts can be generated and interpreted. Understanding these principles will enable you to effectively and diligently manage Azure AD Identity Protection in your Microsoft 365 environment and take the necessary steps to ensure that compromised users are identified and remediated in a timely fashion.

In the next chapter, we will examine the principles of Microsoft Defender for Identity (MDI), formerly known as Azure Advanced Threat Protection. The chapter will also teach you how to plan for and configure MDI, as well as how to monitor and interpret...

1. Which of the following allows you to monitor and remediate based on service principal IDs or app IDs?
   1. Risky users
   2. Risky workload identities (preview)
   3. Risky sign-ins
   4. Risk detections
2. True or false? With Identity Protection, you can configure an MFA registration policy.
   1. True
   2. False
3. Which section of a Conditional Access policy allows you to configure user risk level or sign-in risk level?
   1. User or workload identities
   2. Cloud apps or actions
   3. Conditions
   4. Grant
   5. Session
4. Which of these licenses is required for users who need to be protected with Azure AD Identity Protection?
   1. Azure Information Protection P1
   2. Azure AD Premium P2
   3. Azure AD Premium P1
   4. Azure Information Protection P2
5. Which two formats can the users at risk detected alerts and the weekly digest emails be downloaded in?
   1. CSV
   2. TXT
   3. JSON
   4. PDF
6. Which of the following roles is not added to the users at risk detected alerts or the weekly digest emails?
   1. Global Administrator
   2. User Admin
   3. Security Reader
   4. Security Admin
7. When viewing a risky...

Please refer to the following links for more information regarding what was covered in this chapter:

• Principles of Azure AD Identity Protection and understanding how to plan for its implementation: https://learn.microsoft.com/en-gb/azure/active-directory/identity-protection/overview-identity-protection
• How to configure risk policies: https://learn.microsoft.com/en-gb/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies?wt.mc_id=4039827
• How to remediate risk events and unblock users: https://learn.microsoft.com/en-gb/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock?wt.mc_id=4039827
• How to simulate risk events: https://learn.microsoft.com/en-gb/azure/active-directory/identity-protection/howto-identity-protection-simulate-risk?wt.mc_id=4039827
• How to configure notifications for Azure AD Identity Protection: https://learn.microsoft.com/en-gb/azure/active-directory/identity...