Azure Active Directory (Azure AD) Identity Protection is a feature that helps you manage potential vulnerabilities in your organization’s identities and provides a consolidated view of suspicious activities that need to be investigated. Setting up Identity Protection involves several steps focused on configuring policy settings, reviewing risk detections, and investigating risks. Below is a detailed guide for setting up Identity Protection with Azure Active Directory.

Prerequisites

• An Azure subscription.
• Azure AD Premium P2 (or a trial version) is required to access Azure AD Identity Protection capabilities.
• Necessary permissions: Global Administrator or Security Administrator roles.

1. Enable Azure AD Identity Protection

• Sign in to Azure Portal
  • Navigate to the Azure portal.
  • Sign in with an account that is assigned to the required administrator role.
• Locate Azure AD Identity Protection
  • On the left-hand side, select “Azure Active Directory” to open the Azure AD service.
  • Scroll down to the “Security” section and click on “Identity Protection”.

2. Configure Risk Policies

• Sign-in Risk Policy
  • Click on “Sign-in risk policy”.
  • Define when a user sign-in is considered risky and choose the level of risk you want to mitigate.
  • Decide the action (Allow access, Allow limited access, Block access).
  • Set the policy to “On” and save your changes.
• User Risk Policy
  • Go back to the main Identity Protection page.
  • Select “User risk policy”.
  • Similarly, determine when a user should be considered at risk.
  • Choose the appropriate response (Allow access, Allow limited access, Require password change).
  • Activate the policy by switching it to “On” and save.

3. Review and Remediate Risks

• Review Risky Users
  • From the main Identity Protection page, click on “Risky users”.
  • Here, you will see a list of users that have been identified as risky.
  • Investigate each user’s risk events to understand the nature of the risk.
  • Take appropriate remediation actions like reset passwords or revoke tokens.
• Review Risky Sign-ins
  • Select “Risky sign-ins” to see sign-ins that have been flagged as risky.
  • Analyze the sign-ins, looking at the sign-in location, device, and sign-in properties.
  • Take action if necessary, such as requiring Multi-Factor Authentication (MFA) or securing user accounts.

4. Configure Multi-Factor Authentication

• MFA Registration Policy
  • It’s a best practice to require MFA for users.
  • In Azure AD, navigate to “Users” and click on “Multi-Factor Authentication”.
  • Configure user settings for MFA including service settings and verification methods.
• Conditional Access Policies
  • Apply Conditional Access Policies for more granular control.
  • Define policies that trigger MFA based on certain conditions like user risk level, sign-in risk, or when accessing particular applications.
  • Assign the policies to the appropriate users and groups, and define the conditions and access controls.

5. Monitor and Alert

• Monitoring
  • Regularly monitor risk events and notifications.
  • Use the Azure AD reporting and monitoring capabilities to stay informed about identity risks in your environment.
• Alert Configurations
  • Set up alerts for specific events or thresholds within Identity Protection.
  • These alerts can be sent via email or integrated with other security systems using Azure Monitor.

6. Review and Refine

• Regularly review the effectiveness of your policies.
  • Adjust policies and controls as needed based on trends in your environment.
  • Stay updated with Azure AD Identity Protection capabilities as Microsoft regularly adds new features and detection capabilities.

Using Azure Active Directory Identity Protection is a dynamic process that requires consistent monitoring and management. By following these steps, setting up alerts, and regular policy reviews, you can help secure your organization’s identities against a variety of threats and risks.