Using Azure Active Directory Identity Protection to boost your security

In one of my previous articles, the focus was on how to enable and protect collaboration tools like Microsoft Teams during a lockdown or restrictive mode that most of the countries are going through. Those articles were to speed up the process to get those solutions implemented. However, they are not the silver bullet, and each environment is unique, and you need to use them as a guideline in your implementation. In this article, we are going to cover Azure Active Directory Identity Protection and how it can increase your security posture. It will help you to protect some of the most critical areas in a cloud era: your data and privacy of your users by allowing only secure connections from non-compromised accounts.

Adding Azure AD Premium to your tenant

The Identity Protection is part of the Azure AD Premium P2 license. There are several ways to assign a license to your Azure AD tenant. The orthodox approach is going to Azure Active Directory and then Licenses. In the new blade, click on All products (Item 1), and a list of all licenses and their assignments will be listed. To add a new one, click on + Try/Buy (Item 2) and from the list, expand the desired plan/feature and click on Activate (Item 3).

Managing Azure Active Directory Identity Protection features

Before going to the policies available in Azure AD Identity Protection, we should explore the Overview, which is the initial page, and it shows the numbers of risk users (Item 1) and sign-in risks (Item 2) at a glimpse, as well as the Identity Secure Score (Item 3), which helps you track your progress toward a better security posture.

The Identity Secure Store blade has the current Secure Score using the current settings and how the progress has been in the last X days (by default it is seven days, but we can change it to 30, 60, or 90 days).

A list of all items that are being evaluated is shown in the Improvement actions. We can see that every improvement has a score impact, current score, and a maximum that we can get it. The tool also provides the implementation costs and status (which can be default, ignore, or third-party).

When we click on a specific recommendation, we can see the numbers around the score, change the current status and information about the recommendation, and how to configure it.

You may not have noticed, but in the first line of the Identity Secure Score, there is a link to access the Microsoft Secure Score. When we click on that link, a new page located in the Microsoft 365 Security Portal will be displayed.

That new page has most of the information that we have seen in the Identity Secure Score blade but a better view and integrated with other components of the platform.

We can access it at any time in Office 365 by clicking on the Secure score (Item 1). All data from Identity Protection is summarized in the section Identity (Item 3). We can see individual recommendations and history by accessing the menu on Item 2, and a similar graph of the improvement of your posture can be seen on Item 4.

Managing user risk and sign-in risk policies

Before configuring the policies around those two critical topics, we need to understand what they are. There is a lot of data being captured from an authentication attempt. The Identity Protection evaluates the risk using that information and Microsoft and trusted partners' internal and external threat intelligence tools and data, including Dark Web content.

A sign-in risk evaluates if the authentication being performed is coming from a valid end-user. The risk is calculated using several data sources such as malicious/anonymous IP address, unfamiliar sign-in properties, impossible or atypical travel, to mention a few. The higher the risk, most likely a bad actor is trying to authenticate instead of the real user.

A “user risk” is based on Microsoft threat intelligence when there is leakage of data in the Dark Web or when the pattern used to authenticate is part of a known attack that Microsoft is aware of based on the threat intelligence analysis.

The policies are simple to configure, and we can select the users affected by the policy (“all users” is a good start), the conditions (we define the level of the risk: low, medium, or high) and associate a control. The control for user risk has the values “allow” or “block,” and we can define a password reset when allow is in use. The control for sign-in risk also contains allow or block values, but on this one, we can force MFA in the allow policy.

The third item, which is MFA registration policy, allows forcing the MFA registration to the end-users. By doing that, you can have your users configured before deploying MFA requirements in future service/feature releases. We covered this feature in detail in my article about Teams and MFA here at TechGenix.

Reporting capabilities using Azure Portal

After enabling the feature and configuring the policies, the cloud administrator can see all the action in the Report section (Item 1). We can see in detail risk users and risk sign-ins, as well as risk detections.

The cloud administrator can retrieve more information about the risk, including useful information based on the type of risk, and all risks will be listed (Item 3). An action can be taken, such as confirming a user has been compromised, dismiss as false-positive, reset user password, or block the sign-in.

If there is a need to check a specific user, then the sign-ins (Item 1) item under Activity is going to be useful. From there a list of all attempts will be recorded (Item 2), and we can check if the user went through Conditional Access and retrieve all the information about that attempt, including device, location, authentication details, Conditional Access, and more (Item 3)

Reporting and notification through email

We can configure to receive alerts based on their severity by email. We can select an email from an existing user in Azure Active Directory or an external email.

We can also configure a weekly digest to be received with a summary of all the risks detected.

Azure Active Directory Identity Protection for extra security

In this article, we covered the essentials to get Azure Active Directory Identity Protection configured when using the Azure Active Directory Premium P2 offer. We can use the benefit of user risk and sign-in risk when using Conditional Access and another extra layer of security when evaluating users authenticating in your environment to access your applications.

Featured image: Shutterstock

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).

Published by
Anderson Patricio

Recent Posts

Hardware RAID vs. software RAID: Pros and cons for each

RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…

3 days ago

After the plague: What IT will look like in a post-COVID-19 world

COVID-19 has changed everything, but once it disappears, we will not go back to how…

3 days ago

Solved: Outlook defaults to Microsoft 365 version with Exchange server

An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…

4 days ago

How chatbots are changing the way teams communicate internally

Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…

4 days ago

Hakbit ransomware campaign targeting specific European countries

The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…

4 days ago

Credential stuffing: Everything you need to know to avoid being a victim

Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…

5 days ago