Identity Protection is a tool that allows organizations to accomplish three key tasks:
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to third-party utilities for further analysis.
- Breach replay:
- Password spray:
- Phishing:
Identity Protection identifies risks in the following classifications:
Investigate
Risky users
With the information provided by the risky users report, administrators can find:
- Which users are at risk, have had risk remediated, or have had risk dismissed?
- Details about detections
- History of all risky sign-ins
- Risk history
Administrators can then choose to take action on these events. Administrators can choose to:
- Reset the user password (Not Security Administrator)
- Confirm user compromise
- Dismiss user risk
- Block user from signing in (Not Security Administrator)
- Investigate further using Azure ATP
Risky sign-ins
The risky sign-ins report contains filterable data for up to the past 30 days (1 month).
With the information provided by the risky sign-ins report, administrators can find:
- Which sign-ins are classified as at risk, confirmed compromised, confirmed safe, dismissed, or remediated.
- Real-time and aggregate risk levels associated with sign-in attempts.
- Detection types triggered
- Conditional Access policies applied
- MFA details
- Device information
- Application information
- Location information
Administrators can then choose to take action on these events. Administrators can choose to:
- Confirm sign-in compromise
- Confirm sign-in safe
Best Practice - Self-Remediation with Risk Policy
By allowing users to self-remediate, with Azure Multi-Factor Authentication (MFA) and self-service password reset (SSPR) in the risk policies, they can unblock themselves when risk is detected. These detections are then considered closed. Users must have previously registered for Azure MFA and SSPR in order to use when risk is detected.How to manually remediate risks and unblock users
There is an option to enable automated remediation using risk policies, such as MFA or Change password (SSPR - Self-Service Password Reset) to remediate risks. For some reasons, if MFA and Require Change Password options are not available for your organization, but Risk policy has been enabled to block user's access. Here are some manual process :1. User blocked by User Risk Policy
step 1. Since user wont be able to log in using blocked AD account , user has to call into helpdesk to request unblock. After unblock, helpdesk will execute a manually password reset and pass password to user by phone.
Step 2. Security admin contacted by helpdesk will need to investigate and take further action, such as dismiss user risk, which confirms to Azure AD that the user is not compromised. User Risk will be reset to none. All risk on this user and past sign-in will be closed.
Step 3. User should be able to sign in now.
Step 3 option: Exclude user from policy or disable policy.
2. user blocked by Sign-in Risk Policy
Step1. User will not be able to sign in certain o365 apps.
Step2. User contact helpdesk by phone or email to report issue and get support
Step3 Security admin confirm sign-in safe, which will set Risk level to none and reverse its impact on the user risk.
Step4. User should be able to sign -in again .
Optional step 3, exclude user from sign-in policy or disable sign-in policy. How long should we wait once add user into exclusion policy or disabled policy?
References
via Blogger https://ift.tt/3nQyGnQ
October 13, 2020 at 04:41PM Cloud