Describe Azure Identity Protection


Identity Protection is a tool that allows organizations to accomplish three key tasks:

  • Automate the detection and remediation of identity-based risks.
  • Investigate risks using data in the portal.
  • Export risk detection data to third-party utilities for further analysis.

Microsoft analyses 6.5 trillion signals per day to identify potential threats. These signals come from learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox.

The signals generated by these services are fed to Identity Protection. These signals can then be used by tools such as Conditional Access, which uses them to make access decisions. Signals are also fed to security information and event management (SIEM) tools, such as Sentinel, for further investigation.

Identity Protection categorizes risk into three tiers: low, medium, and high. It can also calculate the sign-in risk, and user identity risk.

Sign-in risk is the probability that it wasn’t performed by the user, and uses the following signals to calculate the risk:

  • Atypical travel. Sign-in from an atypical location based on the user's recent activity.
  • Anonymous IP address. Sign-in from an anonymous IP address; for example, Tor browser, anonymized VPNs).

User risk is about the probability that their identity has been compromised, and uses the following signals to calculate the risk:

  • Unfamiliar sign-in properties. Sign-in with properties you've not seen recently for a given user.
  • Sign-in from a malware-linked IP address.
  • Leaked credentials. Indicates that the user's valid credentials have been leaked.
  • Password spray. Indicates that multiple usernames are being attacked using common passwords in a unified, brute-force manner.
  • Azure AD threat intelligence. Microsoft's internal and external threat intelligence sources have identified a known attack pattern.

These risk signals can trigger actions such as requiring users to provide multifactor authentication, reset their password, or block access until an administrator takes action.

Identity Protection provides organizations with three reports that they can use to investigate identity risks in their environment. These reports are the risky users, risky sign-ins, and risk detections. Investigation of events is key to understanding and identifying any weak points in your security strategy.

After completing an investigation, admins will want to take action to remediate the risk or unblock users. Organizations can also enable automated remediation using their risk policies. Microsoft recommends closing events quickly because time matters when working with risk.

Identity Protection is a feature of Azure AD Premium P2.