question

EnterpriseArchitect avatar image
1 Vote"
EnterpriseArchitect asked EnterpriseArchitect commented

Configuring Azure AD to notify for leaked credentials ?

Hi All,

According to: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
I need to enable PHS, to be able to leverage leaked credentials notification.

How can I get the notification by email to specific address like SOC@domain.net ?

I am using Hybrid Azure AD and OnPremise AD DS sync (Azure AD Connect) with the PHS feature enabled.
I also have ADFS 4.0 OnPremise (Windows Server 2016).

Thanks in advance.

azure-active-directoryazure-ad-connectazure-ad-authentication-protocolsazure-ad-hybrid-identityazure-ad-password-protection
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered EnterpriseArchitect commented

Do you have the correct licensing?
The way to handle this is with Identity Protection and Conditional Access policies that force a password change or block in the event an account has leaked creds:

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Andy,
Yes, I have Azure AD Premium P2 subscription.

0 Votes 0 ·
ClementBETACORNE avatar image
1 Vote"
ClementBETACORNE answered EnterpriseArchitect commented

Hello,

You can configure inside identity protection "users at risk detected alerts" as below and in this article :
137844-image.png



https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications

The other option can be to use log ingestion from Azure AD to a log analytics and do some KQL to create an alert when leaked credential risk is raised


image.png (107.6 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The problem there is that the alerts only notify you that a user is at risk, not which user. You still have to go to the user risk menu and filter/sort on the risk level. :)

2 Votes 2 ·

Yep, that's why you have the second option to ingest the log into a log analytics and do some KQL to create an alert when leaked credential is raise because you have all information directly in the log regarding the user

2 Votes 2 ·

@ClmentBETACORNE-2996 Do I need to have Azure Sentinel on, or this is free ingestion ?

1 Vote 1 ·
Show more comments
EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect answered EnterpriseArchitect edited

@AndyDavid & @ClmentBETACORNE-2996 I've got the setup like below:

How to setup to notify the user with the leaked credentials and CC: Security@domain.com ?

Does enabling the below two options:
Enforce policy On
138030-image.png 138154-image.png

and then:

138123-image.png

is sufficient to allow the impacted user to reset their own password via SSPR ?
assuming the Password Write-back is enabled also.




image.png (12.5 KiB)
image.png (12.0 KiB)
image.png (23.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered

Right, you dont notify the user, you force them to change their password using Conditional Access

The notification typically goes to an admin or group that may find it useful :)

see the picture and location of that that ClmentBETACORNE-2996 posted earlier

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.