In my previous blog post Field Notes: Azure AD Identity Protection we looked at the administrator perspective on Identity Protection. The focus was how to protect your corporate accounts.
In this blog the focus is the end-user (employee and IT staff) experiences.
The experiences I want to share are:
- Suspicious Activity
- User with a high-risk classification
- Behavior observed with Azure AD Password-less sign-in.
When an employee uses a browser or modern authentication, this dialog will appear, when the conditions of a risky sign-in have been detected:
Risky sign-ins are medium-risk events. Example triggers for events are:
- Signing-in from two separate locations in the world with an impossible travel time. However, this can also be detected, when a corporate VPN is used and it forces all internet traffic through the tunnel. Another false positive might be detected when using remote systems in datacenters located in another location. Please note that 'location' in Identity Protection-speak is usually in the scale of a small country or US state.
For example: 10:10 am sign-in from Amsterdam and on 10:15am a sign-in from Redmond, WA in the USA.
- Using a VPN connection, proxy or browser to anonymize your real IP location. NordVPN and the Tor browser are great examples and we use them to demo Identity Protection detections effectively.
- Connecting from a public IP address with a bad reputation, due to infected machines at that location. For example, connections from internet cafes and public hotspots.
Employee with a high-risk classification
When an employee meets the threshold of medium events or the situation score calculation algorithm generates a high score, the user will be blocked from access, by default.
The user feedback I received, is that the authenticator app gives an error message, and tells the end-user to contact the systems administrator. Microsoft Office Outlook will not connect on your machine.
The only way to know what is going on is to use a browser to sign into the Office 365 environment, for example.
Depending on your tenant's Identity Protection configuration, an employee can validate and reset the password to his or her account or be blocked until an administrator forces a password reset for the affected user account.
Note: Microsoft has added the ability to do a self-service password reset via the Authenticator app. This paves the way for resolving high-risk events from within the Microsoft Authenticator app, if the policy allows end-user reset in a high risk situation.
Azure AD Password-less sign-in
If you have configured Password-less sign-in with Azure AD, the user experience is different, when it comes to risky sign-in sessions. The end-user will not be shown a prompt that the sign-in session is calculated to be risky. A mere alert will be generated in Azure AD Identity Protection and depending on the configuration, sent to the IT staff for notification. The event itself will be automatically closed, because multi-factor authentication is performed.
IT Staff experience
Out-of-the box alert
In all three cases above, Azure AD Identity Protection will generate an alert e-mail that a risky event has occurred. This alert is sent to the configured mail recipients. The message itself does not contain the actual account information or threat level. In order to consume this information, you need to sign-in the Azure AD Identity Protection portal.
The message the IT staff receive is shown below:
If the security teams wants faster insights, they should leverage the Graph API and create an automation option to retrieve the Azure AD Identity Protection data. This option is documented here. An example output is shown below, using the PowerShell code provided in the Microsoft documentation:
Using the Graph APU enables the IT/security staff to retrieve detailed information on security events, directly from the tenant. This enables automation and faster insights into what is going on. An automation example is a query is formatted to a readable event for the organization's SIEM solution or Log Analytics.
Processing a risk event
Azure AD Identity Protection has three levels of administrator access.
|Role||Able to do||not able to do|
|Global Administrator||Full access to Azure AD Identity Protection, Onboard Azure AD Identity Protection|
|Security Administrator||Full access to Azure AD Identity Protection||Onboard Azure AD Identity Protection, reset passwords for a user|
|Security Reader||Read-only access to Azure AD Identity Protection||Onboard Identity Protection, remediate users, configure policies, reset passwords|
The minimum level IT staff personnel need to process the security events and give back control to the end users, is to be assigned the Security Administrator role to gain access to Azure AD Identity Protection. Additionally, they need the User Administrator or Password Administrator role to reset passwords for affected users for them to regain access to the company resources.
In a event of a blocked user, the IT admin has two choices after reviewing the security events first for the affected user.
- When the events are legitimate, they can force a reset of the user password and provide the end-user with the new temporary password.
- When event are false positives, they can mark them as such in the web portal, so Azure AD machine learning can learn from it and lower the security score of the end-user in the process.
A better approach
The information that Microsoft supplies in case of a high risk event is minimal for an end-user. He or she is not properly informed on what is going on and what steps to take.
From a service desk/IT staff perspective, the information alert mail doesn’t contain direct information. It is not directly useful to prioritize the event. To gather the actual information, the IT admin needs to login and lookup the event. This takes time. Depending on the workload, it may not always be visible straight away.
The combination of the above two experiences is that when an employee contacts the service desk, time is lost with troubleshooting, because the error is not properly shown from the end-user interface, unless when using a browser.
A solution here, would be an automation script that runs in the background and registers an incident in the ticket system and an event for SIEM, based on the employee information and give it a high priority. In addition to that, a separate e-mail can be sent to the security staff with more detail. Also a brief e-mail can be sent to the service desk to be informed that a user is blocked.
This way, service desk personnel can be properly informed and can even pro-actively contact the effected employees and guide them through the process.
Don't waste valuable time troubleshooting risky sign-ins and high-risk events that block employee sign-ins. Get the pro-active edge.