Improvements to Azure AD Identity Protection have launched, making it easier to identify and manage identity risks in your organization.

What is Azure Active Directory Identity Protection?

Azure AD Identity Protection uses machine learning to identify signs of suspicious activity or issues that might cause you to have a compromised identity in your organization. We can use Azure Identity Protection to configure policies that impose conditions on sign-ins or users that are deemed risky by Microsoft 365. We can also use it to manage, investigate and remediate risk alerts when a suspicious sign-in or user is detected.

Azure Identity Protection can generate alerts based on the following risk events:

  • Atypical travel
  • Anonymous IP
  • Unfamiliar sign in properties
  • Malware linked IP addresses
  • Leaked credentials
  • Azure AD Threat intelligence (activities that match known attack patterns)

The leaked credential alert is especially useful because it will let you know whether some of your users have credentials that are exposed on the dark web or in another breach. We use this in conjunction with the Have I Been Pwned API to alert our customers to compromised credentials.

Where can I find Azure Active Directory Identity Protection?

  1. Sign in to portal.azure.com
  2. Open Azure Active DirectoryAzure Identity Protection In Azure Portal
  3. Scroll down to Security on the left rail
  4. Open Identity Protection.Open Azure Identity Protection

What’s new in Azure Active Directory Identity Protection?

Azure Identity Protection has been updated with new controls for managing, investigating and remediate issues with our identities.Azure Identity Protection Improved Controls

We can use these improved controls to manage risk events in bulk, easily confirming a compromised user or dismissing alerts. These new controls are handy for larger organisations who generate many alerts each day. Azure Identity Protection Managing User Risk Events In Bulk

For each alert, we can drill down and see more information on the user’s recent activities. We can see other user sign-ins and risk detections, as well as reset passwords, confirm compromise, block access and investigate further in Azure ATP. Choosing to investigate further opens up Cloud App Security, providing more insight into the user’s recent activities that contributed to the alert.Azure Identity Protection User Risk Event Details

What license do I need for Azure Identity Protection?

Azure Identity Protection is included in Azure AD Premium P2 license. Azure AD Premium P2 is available under the following licenses:

  • Azure Active Directory Premium P2  standalone SKU
  • Microsoft 365 E5
  • Office 365 E5
  • Enterprise Mobility Suite E5

You get some limited reporting on risky users, risky sign-ins and risk detections in Azure AD Premium P1, which is included in Microsoft 365 Business Premium.

Since Microsoft licensing can change, see here for up to date licensing requirements.