Azure Active Directory Identity Protection integration

Microsoft Cloud App Security integrates with Azure Active Directory Identity Protection (Identity Protection) to provide user entity behavioral analytics (UEBA) across a hybrid environment. For more information about the machine learning and behavioral analytics provided by Identity Protection, see What is Identity Protection?.

Prerequisites

  • A Cloud App Security Admin account to enable integration between Identity Protection and Cloud App Security.

Enable Identity Protection

Note

The Identity Protection feature is enabled by default. However, if the feature was disabled, you can use these steps to enable it.

To enable Cloud App Security integration with Identity Protection:

  1. In Cloud App Security, under the settings cog, select Settings.

    Settings menu

  2. Under Threat Protection, select Azure AD Identity Protection.

    enable azure advanced threat protection

  3. Select Enable Azure AD Identity Protection alert integration and then click Save.

After enabling Identity Protection integration, you'll be able to see alerts for all the users in your organization.

Disable Identity Protection

To disable Cloud App Security integration with Identity Protection:

  1. In Cloud App Security, under the settings cog, select Settings.

  2. Under Threat Protection, select Azure AD Identity Protection.

  3. Clear Enable Azure AD Identity Protection alert integration and then click Save.

Note

  • When the integration is disabled, existing Identity Protection alerts are kept in accordance with Cloud App Security retention policies.
  • Since Cloud App Security only consumes interactive logins from Azure AD, some alerts may not show related activities. You can investigate such activities in the Azure AD portal.

Configure Identity Protection Policies

The Identity Protection policies can be fine-tuned to your organization's need using the severity slider. The sensitivity slider allows you to control which alerts are ingested. In this way, you can adapt the detection according to your coverage needs and your (SNR) targets.

The following policies are available:

Policy Description Default state Default Severity
Leaked Credentials Shows leaked credentials alerts, user's valid credentials have been leaked Enabled Low - Receive all alerts
Risky sign-in Aggregates multiple risky sign-in detections, sign-ins that weren't performed by the user Enabled High - Receive only high severity alerts

Note

Cloud App Security does not send email notifications for Identity Protection alerts. However, you can configure email notifications for them in the Identity Protection portal.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.