What is Azure Active Directory Identity Protection?

Azure Active Directory Identity Protection enables organizations to configure automated responses to detected suspicious actions related to user identities.

Get started

Microsoft has secured cloud-based identities for more than a decade. With Azure Active Directory Identity Protection, in your environment, you can use the same protection systems Microsoft uses to secure identities.

The vast majority of security breaches take place when attackers gain access to an environment by stealing a user’s identity. Over the years, attackers have become increasingly effective in leveraging third-party breaches and using sophisticated phishing attacks. As soon as an attacker gains access to even low privileged user accounts, it is relatively easy for them to gain access to important company resources through lateral movement.

As a consequence of this, you need to:

  • Protect all identities regardless of their privilege level
  • Proactively prevent compromised identities from being abused

Discovering compromised identities is no easy task. Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities. Using this data, Identity Protection generates reports and alerts that enable you to evaluate the detected issues and take appropriate mitigation or remediation actions.

Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other Conditional Access controls provided by Azure Active Directory and Enterprise Mobility + Security (EMS), can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.

Identity Protection capabilities

Detecting vulnerabilities and risky accounts:

  • Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
  • Calculating sign-in risk levels
  • Calculating user risk levels

Investigating risk detections:

  • Sending notifications for risk detections
  • Investigating risk detections using relevant and contextual information
  • Providing basic workflows to track investigations
  • Providing easy access to remediation actions such as password reset

Risk-based Conditional Access policies:

  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
  • Policy to block or secure risky user accounts
  • Policy to require users to register for multi-factor authentication

Identity Protection roles

To load balance the management activities around your Identity Protection implementation, you can assign several roles. Azure AD Identity Protection supports 3 directory roles:

Role Can do Cannot do
Global administrator Full access to Identity Protection, Onboard Identity Protection
Security administrator Full access to Identity Protection Onboard Identity Protection, reset passwords for a user
Security reader Read-only access to Identity Protection Onboard Identity Protection, remediate users, configure policies, reset passwords

For more details, see Assigning administrator roles in Azure Active Directory

Detection

Vulnerabilities

Azure Active Directory Identity Protection analyses your configuration and detects vulnerabilities that can have an impact on your user's identities. For more details, see Vulnerabilities detected by Azure Active Directory Identity Protection.

Risk detections

Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user's identities. The system creates a record for each detected suspicious action. These records are also known as risk detections.
For more details, see Azure Active Directory risk detections.

Investigation

Your journey through Identity Protection typically starts with the Identity Protection dashboard.

Remediation

The dashboard gives you access to:

  • Reports such as Users flagged for risk, Risk detections and Vulnerabilities
  • Settings such as the configuration of your Security Policies, Notifications and multi-factor authentication registration

It is typically your starting point for investigation, which is the process of reviewing the activities, logs, and other relevant information related to a risk detection to decide whether remediation or mitigation steps are necessary, and how the identity was compromised, and understand how the compromised identity was used.

You can tie your investigation activities to the notifications Azure Active Directory Protection sends per email.

Policies

To implement automated responses, Azure Active Directory Identity Protection provides you with three policies:

License requirements

Using this feature requires an Azure AD Premium P2 license. To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

Next steps