March 30, 2021 by
Category:

This tutorial is adapted from the Web Age course Azure IAM Advanced Training

Azure MFA Concepts

The security of MFA is a two-step verification lies in its layered approach.

Authentication methods include:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

 

Enabling MFA

Select the users that you want to modify and enable for MFA. User states can be Enabled,  Enforced, or Disabled. On first-time sign-in, after MFA has been enabled, users are prompted to configure their MFA settings. Azure MFA is included free of charge for global administrator security.

 

 

MFA and other identity management features

MFA is required in order to utilize advanced identity management features, such as:

  • Identity Protection (User risk and Sign-in risk)
  • Privileged Identity Management

Azure AD Identity Protection

Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts in the directory. Identity Protection provides organizations access to powerful resources to see and respond quickly to these suspicious actions.

 

Risk Events

Each detected suspicious action is stored in a record called a risk event.

  • Leaked credentials
  • Sign in from anonymous IP addresses
  • Impossible travel to typical locations
  • Sign-in from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activity

Risk levels

Identity Protection categorizes risk into three tiers:

  • low
  • medium
  • high

While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised.

Sign-in risk

The sign-in risk policy detects suspicious actions that come along with the sign-in. It is focused on the sign-in activity itself and analyzes the probability that the sign-in may not have been performed by the user. The sign-in risk checks for things like whether a user has signed in from an unfamiliar location or an unfamiliar IP address. You can then choose to require MFA for users based on the risk level of their sign-ins. 

These risks are calculated using threat intelligence sources including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.

  • Anonymous IP address (e.g. ToR browser or anonymous VPN)
  • Atypical travel/Impossible travel/New country
  • Malicious IP address
  • Admin confirmed user compromised

Sign-in Risk Policy

It is applied to all browser traffic and sign-ins using modern authentication. It automatically responds to a specific risk level. It provides the condition (risk level) and action (block or allow). It targets all policies to specific users – omits certain types of users.

User Risk

The user risk policy detects the probability that a user account has been compromised. Risk events require the recording of a user’s activity over a length of time so that it’s possible to detect abnormalities. You can then choose to block access to users based on their risk levels. User risk is typically determined based on leaked credentials.

Microsoft finds leaked credentials in a variety of places, including:

  • Public paste sites such as pastebin.com and paste.ca.
  • Law enforcement agencies.
  • Other groups at Microsoft doing dark web research.

User Risk Policy

It is Applied to user sign-ins. It provides the condition (risk level) and action(block or allow). It automatically responds based on a specific user’s risk level. It uses a high threshold during policy roll-out. It uses a low threshold for greater security. 

Risky Sign-ins Report

The risky sign-ins report contains filterable data for up to the past 30 days (1 month).  With the information provided by the risky sign-ins report, administrators can find:

  • Which sign-ins are classified as at risk, confirmed compromised, confirmed safe, dismissed, or remediated.
  • Detection types triggered
  • MFA details
  • Device information
  • Application information
  • Location information