Conditional access policies for Identity Protection: User at Risk and Risky Logon

Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that provides customers with a consolidated view into risk events and potential vulnerabilities affecting organization’s identities. Identity Protection leverages existing Azure AD’s anomaly detection capabilities (available through Azure AD’s Anomalous Activity Reports), and introduces new risk event types that can detect anomalies in real-time.

•      Detect risk events and risky accounts (detect 6 types of risk events using ML and heuristic rules)

•      Provide recommendations to improve security posture

•      Send notification of risk events

•      Provide easy access to remediation actions

•      Apply Conditional Access Policies

Benefits

•      Gain insights from a consolidated view of machine learning based threat detection

•      Provides remediation recommendations, helps prioritize actions

•      Risk severity calculation represents the likelihood of an account compromise

•      Risk-based conditional access automatically protects against suspicious logins and compromised credentials

There are two types of policies, a User Risk Policy and a Sign In Risk Policy

A sign-in risk policy is a conditional access policy that evaluates the risk to a specific sign-in and applies mitigations based on predefined conditions and rules.

A user risk security policy is a conditional access policy that evaluates the risk level to a specific user and applies remediation and mitigation actions based on predefined conditions and rules.

User at Risk:

A "User at Risk" typically refers to a specific user account that exhibits suspicious or abnormal behavior. This could be due to various reasons, such as a compromised account, a user attempting to access resources outside their usual patterns, or a user account showing signs of being targeted for a cyber attack.

Alerting: When a user account is flagged as "at risk," the IAM system or security monitoring tools generate an alert to notify administrators or security personnel of the suspicious activity. The alert will include information about the user account, the observed risky behavior, and relevant timestamps.

Governance Actions: The governance actions taken in response to a "User at Risk" alert may include immediate steps to protect the account and associated resources. This could involve temporarily disabling the account, requiring a password change, initiating a multi-factor authentication (MFA) challenge, or restricting access to sensitive resources until the issue is resolved. An investigation into the root cause of the risk may also be initiated to identify any potential vulnerabilities or breaches.

Risky Logon:

A "Risky Logon" refers to a specific login event that shows signs of suspicious or unauthorized access attempts. This might involve multiple failed login attempts, logins from unusual locations or devices, or login attempts outside of regular business hours.

Alerting: When a "Risky Logon" is detected, the IAM system or security tools raise an alert to inform administrators or security teams about the potential unauthorized access attempt. The alert will contain details about the specific login event, such as the source IP address, device information, and the user account involved.

Governance Actions: The governance actions in response to a "Risky Logon" aim to prevent potential unauthorized access. Depending on the organization's security policies and risk assessment, the actions might include blocking the IP address associated with the risky login, prompting the user to verify their identity through additional authentication steps, or even suspending the account temporarily until the legitimacy of the login attempt is verified.

In summary, the key difference is that a "User at Risk" refers to a potentially compromised or targeted user account, while a "Risky Logon" refers to suspicious login activities. The alerting and governance actions are tailored to the specific nature of the threat in each scenario, with the ultimate goal of safeguarding the organization's data and resources.

Risky Logon Management Options

Policy Assignment

The policies can be scope to apply to all users or certain groups in the organization. It is possible to exclude individual users or groups .

Policy Conditions

Both User and Sign Risk policies to set the minimum risk level to Low up to High 

Policy Controls

User Risk Policies : Allow to deny or permit the acces but requiring a password change

Sign In Risk Policies: Allow to deny or permit the access but requiring multifactor authentication

Policy Impact:

It is possible to measure how many users will be blocked/challenged for MFA based on the groups selected and users flagged at risk at the time of creating

Policy Alerting

It is possible to send emails alerting on user risks to security admins, readers or global admins weekly Emails with the summary of users at risk, events and vulnerabilities can be sent

Policy Governance Actions

Users can be allowed to access if certain risk is identified , requiring then to go over MFA and password change (User Risk Policies). If the account was blocked by policy, then the user will need to contact admins to perform unlock.

Other manual actions are, dismissing all alters, performing a password reset