Azure AD Identity Protection

1. Introduction to Azure AD Identity Protection

So there are three main things that you're going to get out of this. The number one thing is the ability to automate the detection and remediation of your identity-based accounts at risk. So the goal here is to basically detect an attack that has occurred against an account and then also deal with that threat. And ideally, of course, as it's happening, you want a way to deal with it. You want a system that can do this automatically. We administrators are obviously not always present when this type of thing goes on, and we're not there standing over the shoulder of the user to detect that something fishy is happening. And in some cases, a lot of these threats will occur in the middle of the night when we're asleep. So it's important for us to have a way to auto-detect these threats and try to stop them before they happen. Another feature that you get is the ability to investigate these risks, to find information about what's going on, try to discover who your risky users are, the ones that are being attacked, and get a feel for the things going on in your environment regarding this threat. Another thing we need to be able to do is export data to possibly use with third party tools like logging tools or aggregating tools such as Seam or SIM. If you're familiar with splunk and products like that, So it's important to have a way to do that as well, because we can find patterns and do pattern recognition if we've got all this data aggregated in one place. So of the identity risk detection engines that thisfeature uses, the first one is called heuristics,if you're not familiar with that term, heuristics. Heuristics involve learning from experience. So essentially, with heuristics, the system is monitoring the things that the user is doing. And with machine learning, it can actually look at the times of day the user logs on, look at where the user logs on from, and the way the user goes about doing their job in the Microsoft 365 environment and it can help it make decisions. Another method is the Microsoft Partner products. So there are third-party products that work in conjunction with Microsoft systems, with which Microsoft has partnered, and this detection can also occur. Now there are two big types of risk that we're looking at, and this is going to correlate with your risk policies. We're going to take a look in the next video. The first is called a user risk. This is the probability that an identity is compromised. So user risk gets into the fact that it's probably a guarantee that a user identity has been compromised. Meaning, somebody has gotten the credential information of a particular user and could potentially try to log on and get access to that user. The second is called a sign of risk. A sign-in risk is the probability that a sign-in is compromised. Now this is more along the lines of a real time look at something that's going on. So real time looks like a decision based on real time, meaning this is happening right this very minute, right this very second. You have aggregate as well, which is based on real time and non-real time. So it looks at the past for this sign, and then it looks at what's going on right now and the system makes a decision based upon the past and the present. Okay, so those are your two different risk types. We're going to be looking at the policies for that here. Coming up now, what is the risk being detected? So here are some of the things that we've got. We have unusual travel. So that would be sort of like if a user is logging on in New York City and then 5 minutes later, let's say that same user account attempts to log on in Los Angeles. Okay, that's impossible, right? That's atypical travel. Another thing would be an anonymous IP address. This is where somebody is trying to log on and they're trying to hide their IP information through something like Tor. So the system is going to try to catch that and detect, hey, this is probably a risk based on the IP address they're using. Another would be an unfamiliar sign in properties. So with unfamiliar sign-in properties being different methods that a user has normally used, maybe they're usually logging on to a portal and this time they're logging on to an app that they've never used before. You have a malware linked IP address. This is an environment in which Microsoft malware detection has previously detected malware from a specific IP address, and someone attempting to log on from that IP address has leaked credentials. So leaked credentials being a credential, somebody's got access to somebody's credentials in the past. So at that point, those credentials become a higher threat. And then finally, you have Microsoft's AzureAd threat intelligence, which I've mentioned before. Microsoft has hundreds of security professionals that are actuallyoverseeing their Azure services, and from there they can flag certain methodologies that people are using to get access to something as a threat. So that's their threat intelligence system. Risk Investigation Another piece of this is that we can do risk investigation. We can generate reports and look at actual reports of risky users. These would be users that are considered at a higher risk based on some of the things that they've done. Like again, users who usually work nine to five, but these users have been logging on at 02:00 in the morning or at their IP locations. All of that and then you get risky sign-ins. Same kind of deal. Except this is focused on the chances that based upon a sign on and how that sign on happened, whether or not it's considered a risk, and then finally, you can just look at risk detection in general and that just kind of pulls it all into one place and it's all centralised for you to look at based upon risky users as well as risky signing. So Microsoft does provide us with some great little reports that we can look at, and we can look at all this in real time. I'm

2. Demonstration of using Azure AD Identity Protection

We're now going to take a look at the Azuread identity protection system in the Portal dot Azure.com. So to start with, I'm going to go up to the menubar here and we're going to go to all services and we're going to search for Azure ad identity protection. Okay, you'll see identity protection show up in the list, and you go ahead and click on that. Okay, From there, we'll take a look over here on the left at some different blades that are available to us. So the first one is the user risk policy. So we're going to click on that. All right. And these are the parameters that have been defined for your user risk policy. So the first order of business would be to select the users that you're actually wanting to sign this to by default. You can see here I've got all the users, but I could add a group of users that I want, and I could add exclusions if I wanted. I'm going to do all users, so I'm going to leave. That is the way it is. The second thing is conditions. So we're going to go to conditions, and at this point you select a risk level based upon the actual user that's possibly at risk. So this is a decision made based on everything we discussed in the previous video, where it determines whether something is low risk, medium risk, or high risk. And this is a system based on an algorithm that Microsoft has created. Now in my case, I'm going to say high risk. So we're going to be looking for something that's flagged as a high risk. So chances are it is definitely a compromised account and then we'll hit select and we'll hit done. From there, we're going to look at the access and this is going to be what we're going to do. Now we have block or we have allow, but if we choose to do allow, we're going to make the user do a password change, okay? Because chances are, if this is a high-risk account, the user really has had their account compromised and we would require a password change. Or if you just want to flat out block the user, you can block the user. Okay? And at that point, I would enforce the policy that is going to turn this on and I would click save. So you can see, configuring your user risk policy is pretty easy. Let's take a look at the sign-in policy. Sign up for a risk policy. So we'll click on that same kind of deal. You would select your users here, specifying if you wanted to do groups. Okay? And I know I've said this previously, but as far as inclusion and exclusion, if you add a group of users to include and then you add a group of users to exclude, the exclusion will override the inclusion. So if the users are in both groups, the exclusion would essentially take over. Okay? So from there, we're going to go ahead and set our conditions here. We'll set that to high, click select, and then done. And then we're going to go to Control Access. Now, with Control Access, we can choose to block or allow access to a sign inrisk. And if we choose Allowit, it says it requires multifactor authentication. In other words, if it is deemed a sign inrisk, what will happen to the user is unknown. You're going to be forced to perform an MFA. Keep in mind, if the user does not support MFA, then it's just going to block the user. So the user does have to be signed up to UtilizeMFA and have an MFA licence in order to do that. Okay? So I'm going to do allow on this one, but I'm going to require MFA. Okay, And then at that point, I would enforce the policy by clicking save. Speaking of which, if you wanted to go further,I know I've discussed MFA, but here's an MFAregistration policy you can look at as well. But here's the little report I was also talking about. So you have risky users. You can see if you've got any risky users that have logged in. And as you can see, I don't. I also have the ability to download this little report if I want to put it in a little CSV file for you. All right. You can also filter this report. So if you had a very long list of users here that was listed, you could filter, show certain dates, the risky states, all that. So then we've got risky sign-ins right here. This will show you any risky events that have occurred. same kind of deal. You can filter it if you want. You can export the data, download the data, and then lastly, we have risk detection. This is going to show everything in general over bydefault, as you can see the last seven days. But of course, if I wanted to, I could alter these filters, change this around, and sort by detection time, user IP address, location, all that stuff if I wanted to. So it's actually really easy to see the differences that are going on in your environment. Of course, in my little trial environment here, as you can see, I don't have much going on, but I'm definitely in a legit environment. If you are actually managing a Microsoft 365 environment, I encourage you to go and check out these objects here to see what risk you've got in your environment. All in all, I hope you'll find that Azure Ad identity protection is a pretty easy system to manage and control. It's just a matter of going and finding the right blade. You're looking for a user risk policy, a sign and risk policy, and to enable the conditions you want.

3. Stepping through the hands on tutorial for Azure AD Identity Protection Policies

I now want to go through the tutorial with you guys on Azure Ad Identity Protection. So in this little tutorial, we're going to set our User Risk Policy up for all users to hide. We'll put our sign in allow mode, requiring MFA. So those are going to be our steps in this little tutorial that we're going to practise for hands-on. And then, of course, you'll get a chance to try this out as well. Okay, so I'm going to go ahead and hit start. And we would be going to Azure.com in our web browser. At that point, I'm going to click the menu button here and I'm going to search by going to all services. We're going to put the keywords in Azure Ad Identity Protection. And we're going to select Azure AD Identity Protection. We're going to go to a user risk policy. I've got it already. set to all users, so I don't have to edit that. But my conditions, I'm going to click on conditions. We're going to switch the user risk to high. Click to select, then click done. And then we're going to set the control access to block, click select. And then we're going to enforce the policy. Click Save. Alright? That finishes the User Risk policy side of things. The next step would be the sign-in risk. So we're going to click on Sign inRisk Policy, click the conditions, we're going to set the conditions to high Set the control access to allow for this time. And we're going to require MFA, which is going to default to being on. And we're going to click select, make sure the policy is enforced, click save, and we're done. So again, as you can see, configuring AzureAd Identity Protection policies is pretty straightforward. It's not something I think that you'll struggle with too much there. There aren't too many features that you have to alter or change there. Pretty straightforward. The hardest part of it really is just finding your way to the right place. Right. So it's pretty straightforward though. And you guys can give that a shot.

ExamSnap's Microsoft MS-500 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Microsoft MS-500 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.